diff --git a/dtool/src/parser-inc/openssl/evp.h b/dtool/src/parser-inc/openssl/evp.h index a9ef1fd091..9cc780cb19 100644 --- a/dtool/src/parser-inc/openssl/evp.h +++ b/dtool/src/parser-inc/openssl/evp.h @@ -2,7 +2,6 @@ #ifndef EVP_H #define EVP_H -struct EVP_CIPHER_CTX; -struct EVP_PKEY; +#include #endif diff --git a/dtool/src/parser-inc/openssl/ssl.h b/dtool/src/parser-inc/openssl/ssl.h index d43aca6090..50fe63c4bc 100644 --- a/dtool/src/parser-inc/openssl/ssl.h +++ b/dtool/src/parser-inc/openssl/ssl.h @@ -2,13 +2,14 @@ #ifndef SSL_H #define SSL_H -struct BIO; -struct SSL_CTX; -struct EVP_CIPHER_CTX; -struct EVP_PKEY; -struct X509; -struct X509_STORE; -struct X509_NAME; +typedef struct bio_st BIO; +typedef struct ssl_ctx_st SSL_CTX; +typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX; +typedef struct evp_pkey_st EVP_PKEY; +typedef struct x509_st X509; +typedef struct x509_store_st X509_STORE; +typedef struct X509_name_st X509_NAME; +typedef struct ssl_cipher_st SSL_CIPHER; struct SSL; #define STACK_OF(type) struct stack_st_##type diff --git a/dtool/src/parser-inc/openssl/x509.h b/dtool/src/parser-inc/openssl/x509.h index bbd2598dfc..d2bfcbaa5c 100644 --- a/dtool/src/parser-inc/openssl/x509.h +++ b/dtool/src/parser-inc/openssl/x509.h @@ -2,9 +2,7 @@ #ifndef X509_H #define X509_H -struct X509; -struct X509_STORE; -struct X509_NAME; +#include #endif diff --git a/dtool/src/prc/encryptStreamBuf.cxx b/dtool/src/prc/encryptStreamBuf.cxx index 6cb0ee6b39..3d428852d2 100644 --- a/dtool/src/prc/encryptStreamBuf.cxx +++ b/dtool/src/prc/encryptStreamBuf.cxx @@ -21,6 +21,7 @@ #ifdef HAVE_OPENSSL #include "openssl/rand.h" +#include "openssl/evp.h" #ifndef HAVE_STREAMSIZE // Some compilers (notably SGI) don't define this for us diff --git a/dtool/src/prc/encryptStreamBuf.h b/dtool/src/prc/encryptStreamBuf.h index 4861a89240..b7d95424c2 100644 --- a/dtool/src/prc/encryptStreamBuf.h +++ b/dtool/src/prc/encryptStreamBuf.h @@ -19,7 +19,7 @@ // This module is not compiled if OpenSSL is not available. #ifdef HAVE_OPENSSL -#include "openssl/evp.h" +typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX; /** * The streambuf object that implements IDecompressStream and OCompressStream. diff --git a/dtool/src/prc/prcKeyRegistry.cxx b/dtool/src/prc/prcKeyRegistry.cxx index 9b760ac53d..6329a8abbd 100644 --- a/dtool/src/prc/prcKeyRegistry.cxx +++ b/dtool/src/prc/prcKeyRegistry.cxx @@ -19,8 +19,12 @@ #ifdef HAVE_OPENSSL +#include "openssl/evp.h" #include "openssl/pem.h" +// Some versions of OpenSSL appear to define this as a macro. Yucky. +#undef set_key + PrcKeyRegistry *PrcKeyRegistry::_global_ptr = NULL; /** diff --git a/dtool/src/prc/prcKeyRegistry.h b/dtool/src/prc/prcKeyRegistry.h index 1b53287215..69e25d949e 100644 --- a/dtool/src/prc/prcKeyRegistry.h +++ b/dtool/src/prc/prcKeyRegistry.h @@ -22,10 +22,8 @@ #ifdef HAVE_OPENSSL #include -#include "openssl/evp.h" -// Some versions of OpenSSL appear to define this as a macro. Yucky. -#undef set_key +typedef struct evp_pkey_st EVP_PKEY; /** * This class records the set of public keys used to verify the signature on a diff --git a/panda/src/downloader/bioPtr.I b/panda/src/downloader/bioPtr.I index f09ee7bbc8..a1e1f13e1d 100644 --- a/panda/src/downloader/bioPtr.I +++ b/panda/src/downloader/bioPtr.I @@ -18,14 +18,6 @@ INLINE BioPtr:: BioPtr(BIO *bio) : _bio(bio) { } -/** - * - */ -INLINE bool BioPtr:: -should_retry() const { - return (_bio != NULL) && BIO_should_retry(_bio); -} - /** * */ diff --git a/panda/src/downloader/bioPtr.cxx b/panda/src/downloader/bioPtr.cxx index 15fe997c02..b86f37f816 100644 --- a/panda/src/downloader/bioPtr.cxx +++ b/panda/src/downloader/bioPtr.cxx @@ -18,6 +18,9 @@ #include "urlSpec.h" #include "config_downloader.h" +#include "openSSLWrapper.h" // must be included before any other openssl. +#include "openssl/ssl.h" + #ifdef _WIN32 #include #else @@ -199,7 +202,7 @@ connect() { if (result != 0 && BIO_sock_should_retry(-1)) { // It's still in progress; we should retry later. This causes - // should_reply() to return true. + // should_retry() to return true. BIO_set_flags(_bio, BIO_FLAGS_SHOULD_RETRY); _connecting = true; return false; @@ -218,6 +221,14 @@ connect() { return true; } +/** + * + */ +bool BioPtr:: +should_retry() const { + return (_bio != NULL) && BIO_should_retry(_bio); +} + /** * */ diff --git a/panda/src/downloader/bioPtr.h b/panda/src/downloader/bioPtr.h index 332a1fc715..090ae20608 100644 --- a/panda/src/downloader/bioPtr.h +++ b/panda/src/downloader/bioPtr.h @@ -19,13 +19,7 @@ // This module is not compiled if OpenSSL is not available. #ifdef HAVE_OPENSSL -#ifndef OPENSSL_NO_KRB5 -#define OPENSSL_NO_KRB5 -#endif - #include "referenceCount.h" -#include "openSSLWrapper.h" // must be included before any other openssl. -#include "openssl/ssl.h" #ifdef _WIN32 #include @@ -35,6 +29,8 @@ #include #endif +typedef struct bio_st BIO; + class URLSpec; /** @@ -52,7 +48,7 @@ public: void set_nbio(bool nbio); bool connect(); - INLINE bool should_retry() const; + bool should_retry() const; INLINE BIO &operator *() const; INLINE BIO *operator -> () const; diff --git a/panda/src/downloader/bioStreamBuf.h b/panda/src/downloader/bioStreamBuf.h index c9174b30b1..0378d9db65 100644 --- a/panda/src/downloader/bioStreamBuf.h +++ b/panda/src/downloader/bioStreamBuf.h @@ -19,14 +19,8 @@ // This module is not compiled if OpenSSL is not available. #ifdef HAVE_OPENSSL -#ifndef OPENSSL_NO_KRB5 -#define OPENSSL_NO_KRB5 -#endif - #include "bioPtr.h" #include "pointerTo.h" -#include "openSSLWrapper.h" // must be included before any other openssl. -#include "openssl/ssl.h" /** * The streambuf object that implements IBioStream. diff --git a/panda/src/downloader/bioStreamPtr.h b/panda/src/downloader/bioStreamPtr.h index aa5c8a28bf..3f23040d20 100644 --- a/panda/src/downloader/bioStreamPtr.h +++ b/panda/src/downloader/bioStreamPtr.h @@ -19,14 +19,8 @@ // This module is not compiled if OpenSSL is not available. #ifdef HAVE_OPENSSL -#ifndef OPENSSL_NO_KRB5 -#define OPENSSL_NO_KRB5 -#endif - #include "bioStream.h" #include "referenceCount.h" -#include "openSSLWrapper.h" // must be included before any other openssl. -#include "openssl/ssl.h" /** * A wrapper around an BioStream object to make a reference-counting pointer diff --git a/panda/src/downloader/httpChannel.cxx b/panda/src/downloader/httpChannel.cxx index 3c90d63c3c..a7eb5f58d3 100644 --- a/panda/src/downloader/httpChannel.cxx +++ b/panda/src/downloader/httpChannel.cxx @@ -27,6 +27,8 @@ #ifdef HAVE_OPENSSL +#include "openSSLWrapper.h" + #if defined(WIN32_VC) || defined(WIN64_VC) #include #include // for select() diff --git a/panda/src/downloader/httpChannel.h b/panda/src/downloader/httpChannel.h index 4c4ddfa312..b9131eba9a 100644 --- a/panda/src/downloader/httpChannel.h +++ b/panda/src/downloader/httpChannel.h @@ -22,10 +22,6 @@ #ifdef HAVE_OPENSSL -#ifndef OPENSSL_NO_KRB5 -#define OPENSSL_NO_KRB5 -#endif - #include "httpClient.h" #include "httpEnum.h" #include "urlSpec.h" @@ -37,10 +33,10 @@ #include "pointerTo.h" #include "config_downloader.h" #include "filename.h" -#include "openSSLWrapper.h" // must be included before any other openssl. -#include "openssl/ssl.h" #include "typedReferenceCount.h" +typedef struct bio_st BIO; + class Ramfile; class HTTPClient; diff --git a/panda/src/downloader/httpClient.cxx b/panda/src/downloader/httpClient.cxx index 129d5fb6be..4770d6916d 100644 --- a/panda/src/downloader/httpClient.cxx +++ b/panda/src/downloader/httpClient.cxx @@ -24,6 +24,8 @@ #ifdef HAVE_OPENSSL +#include "openSSLWrapper.h" + PT(HTTPClient) HTTPClient::_global_ptr; /** @@ -68,6 +70,68 @@ tokenize(const string &str, vector_string &words, const string &delimiters) { words.push_back(string()); } +#ifndef NDEBUG +/** + * This method is attached as a callback for SSL messages only when debug + * output is enabled. + */ +static void +ssl_msg_callback(int write_p, int version, int content_type, + const void *, size_t len, SSL *, void *) { + ostringstream describe; + if (write_p) { + describe << "sent "; + } else { + describe << "received "; + } + switch (version) { + case SSL2_VERSION: + describe << "SSL 2.0 "; + break; + + case SSL3_VERSION: + describe << "SSL 3.0 "; + break; + + case TLS1_VERSION: + describe << "TLS 1.0 "; + break; + + default: + describe << "unknown protocol "; + } + + describe << "message: "; + + if (version != SSL2_VERSION) { + switch (content_type) { + case 20: + describe << "change cipher spec, "; + break; + + case 21: + describe << "alert, "; + break; + + case 22: + describe << "handshake, "; + break; + + case 23: + describe << "application data, "; + break; + + default: + describe << "unknown content type, "; + } + } + + describe << len << " bytes.\n"; + + downloader_cat.debug() << describe.str(); +} +#endif // !defined(NDEBUG) + /** * */ @@ -1564,68 +1628,6 @@ split_whitespace(string &a, string &b, const string &c) { b = c.substr(p); } -#ifndef NDEBUG -/** - * This method is attached as a callback for SSL messages only when debug - * output is enabled. - */ -void HTTPClient:: -ssl_msg_callback(int write_p, int version, int content_type, - const void *, size_t len, SSL *, void *) { - ostringstream describe; - if (write_p) { - describe << "sent "; - } else { - describe << "received "; - } - switch (version) { - case SSL2_VERSION: - describe << "SSL 2.0 "; - break; - - case SSL3_VERSION: - describe << "SSL 3.0 "; - break; - - case TLS1_VERSION: - describe << "TLS 1.0 "; - break; - - default: - describe << "unknown protocol "; - } - - describe << "message: "; - - if (version != SSL2_VERSION) { - switch (content_type) { - case 20: - describe << "change cipher spec, "; - break; - - case 21: - describe << "alert, "; - break; - - case 22: - describe << "handshake, "; - break; - - case 23: - describe << "application data, "; - break; - - default: - describe << "unknown content type, "; - } - } - - describe << len << " bytes.\n"; - - downloader_cat.debug() << describe.str(); -} -#endif // !defined(NDEBUG) - /** * */ diff --git a/panda/src/downloader/httpClient.h b/panda/src/downloader/httpClient.h index d901066357..1efab58460 100644 --- a/panda/src/downloader/httpClient.h +++ b/panda/src/downloader/httpClient.h @@ -32,7 +32,11 @@ #include "pmap.h" #include "pset.h" #include "referenceCount.h" -#include "openSSLWrapper.h" + +typedef struct ssl_ctx_st SSL_CTX; +typedef struct x509_st X509; +typedef struct X509_name_st X509_NAME; +typedef struct evp_pkey_st EVP_PKEY; class Filename; class HTTPChannel; @@ -155,12 +159,6 @@ private: static void split_whitespace(string &a, string &b, const string &c); -#ifndef NDEBUG - static void ssl_msg_callback(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, - void *arg); -#endif - typedef pvector Proxies; typedef pmap ProxiesByScheme; ProxiesByScheme _proxies_by_scheme; diff --git a/panda/src/express/multifile.cxx b/panda/src/express/multifile.cxx index 2f7cda439b..0d98849efe 100644 --- a/panda/src/express/multifile.cxx +++ b/panda/src/express/multifile.cxx @@ -26,6 +26,8 @@ #include #include +#include "openSSLWrapper.h" + // This sequence of bytes begins each Multifile to identify it as a Multifile. const char Multifile::_header[] = "pmf\0\n\r"; const size_t Multifile::_header_size = 6; @@ -768,43 +770,6 @@ add_signature(const Filename &composite, const string &password) { } #endif // HAVE_OPENSSL -#ifdef HAVE_OPENSSL -/** - * Adds a new signature to the Multifile. This signature associates the - * indicated certificate with the current contents of the Multifile. When the - * Multifile is read later, the signature will still be present only if the - * Multifile is unchanged; any subsequent changes to the Multifile will - * automatically invalidate and remove the signature. - * - * If chain is non-NULL, it represents the certificate chain that validates - * the certificate. - * - * The specified private key must match the certificate, and the Multifile - * must be open in read-write mode. The private key is only used for - * generating the signature; it is not written to the Multifile and cannot be - * retrieved from the Multifile later. (However, the certificate *can* be - * retrieved from the Multifile later, to identify the entity that created the - * signature.) - * - * This implicitly causes a repack() operation if one is needed. Returns true - * on success, false on failure. - */ -bool Multifile:: -add_signature(X509 *certificate, STACK_OF(X509) *chain, EVP_PKEY *pkey) { - // Convert the certificate and chain into our own CertChain structure. - CertChain cert_chain; - cert_chain.push_back(CertRecord(certificate)); - if (chain != NULL) { - int num = sk_X509_num(chain); - for (int i = 0; i < num; ++i) { - cert_chain.push_back(CertRecord((X509 *)sk_X509_value(chain, i))); - } - } - - return add_signature(cert_chain, pkey); -} -#endif // HAVE_OPENSSL - #ifdef HAVE_OPENSSL /** * Adds a new signature to the Multifile. This signature associates the diff --git a/panda/src/express/multifile.h b/panda/src/express/multifile.h index 578ac70d6d..5c6ec16feb 100644 --- a/panda/src/express/multifile.h +++ b/panda/src/express/multifile.h @@ -24,7 +24,11 @@ #include "indirectLess.h" #include "referenceCount.h" #include "pvector.h" -#include "openSSLWrapper.h" + +#ifdef HAVE_OPENSSL +typedef struct x509_st X509; +typedef struct evp_pkey_st EVP_PKEY; +#endif /** * A file that contains a set of files. @@ -148,7 +152,6 @@ public: }; typedef pvector CertChain; - bool add_signature(X509 *certificate, STACK_OF(X509) *chain, EVP_PKEY *pkey); bool add_signature(const CertChain &chain, EVP_PKEY *pkey); const CertChain &get_signature(int n) const;