Remove OpenSSL includes from headers, so C++ users don't need to have OpenSSL

dtool/src/parser-inc/openssl/evp.h

@@ -2,7 +2,6 @@
 #ifndef EVP_H
 #define EVP_H
 
-struct EVP_CIPHER_CTX;
-struct EVP_PKEY;
+#include <openssl/ssl.h>
 
 #endif

dtool/src/parser-inc/openssl/ssl.h

@@ -2,13 +2,14 @@
 #ifndef SSL_H
 #define SSL_H
 
-struct BIO;
-struct SSL_CTX;
-struct EVP_CIPHER_CTX;
-struct EVP_PKEY;
-struct X509;
-struct X509_STORE;
-struct X509_NAME;
+typedef struct bio_st BIO;
+typedef struct ssl_ctx_st SSL_CTX;
+typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
+typedef struct evp_pkey_st EVP_PKEY;
+typedef struct x509_st X509;
+typedef struct x509_store_st X509_STORE;
+typedef struct X509_name_st X509_NAME;
+typedef struct ssl_cipher_st SSL_CIPHER;
 struct SSL;
 #define STACK_OF(type) struct stack_st_##type
 

dtool/src/parser-inc/openssl/x509.h

@@ -2,9 +2,7 @@
 #ifndef X509_H
 #define X509_H
 
-struct X509;
-struct X509_STORE;
-struct X509_NAME;
+#include <openssl/ssl.h>
 
 #endif
 

dtool/src/prc/encryptStreamBuf.cxx

@@ -21,6 +21,7 @@
 #ifdef HAVE_OPENSSL
 
 #include "openssl/rand.h"
+#include "openssl/evp.h"
 
 #ifndef HAVE_STREAMSIZE
 // Some compilers (notably SGI) don't define this for us

dtool/src/prc/encryptStreamBuf.h

@@ -19,7 +19,7 @@
 // This module is not compiled if OpenSSL is not available.
 #ifdef HAVE_OPENSSL
 
-#include "openssl/evp.h"
+typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
 
 /**
  * The streambuf object that implements IDecompressStream and OCompressStream.

dtool/src/prc/prcKeyRegistry.cxx

@@ -19,8 +19,12 @@
 
 #ifdef HAVE_OPENSSL
 
+#include "openssl/evp.h"
 #include "openssl/pem.h"
 
+// Some versions of OpenSSL appear to define this as a macro.  Yucky.
+#undef set_key
+
 PrcKeyRegistry *PrcKeyRegistry::_global_ptr = NULL;
 
 /**

dtool/src/prc/prcKeyRegistry.h

@@ -22,10 +22,8 @@
 #ifdef HAVE_OPENSSL
 
 #include <vector>
-#include "openssl/evp.h"
 
-// Some versions of OpenSSL appear to define this as a macro.  Yucky.
-#undef set_key
+typedef struct evp_pkey_st EVP_PKEY;
 
 /**
  * This class records the set of public keys used to verify the signature on a

panda/src/downloader/bioPtr.I

@@ -18,14 +18,6 @@ INLINE BioPtr::
 BioPtr(BIO *bio) : _bio(bio) {
 }
 
-/**
- *
- */
-INLINE bool BioPtr::
-should_retry() const {
-  return (_bio != NULL) && BIO_should_retry(_bio);
-}
-
 /**
  *
  */

panda/src/downloader/bioPtr.cxx

@@ -18,6 +18,9 @@
 #include "urlSpec.h"
 #include "config_downloader.h"
 
+#include "openSSLWrapper.h"  // must be included before any other openssl.
+#include "openssl/ssl.h"
+
 #ifdef _WIN32
 #include <winsock2.h>
 #else
@@ -199,7 +202,7 @@ connect() {
 
     if (result != 0 && BIO_sock_should_retry(-1)) {
       // It's still in progress; we should retry later.  This causes
-      // should_reply() to return true.
+      // should_retry() to return true.
       BIO_set_flags(_bio, BIO_FLAGS_SHOULD_RETRY);
       _connecting = true;
       return false;
@@ -218,6 +221,14 @@ connect() {
   return true;
 }
 
+/**
+ *
+ */
+bool BioPtr::
+should_retry() const {
+  return (_bio != NULL) && BIO_should_retry(_bio);
+}
+
 /**
  *
  */

panda/src/downloader/bioPtr.h

@@ -19,13 +19,7 @@
 // This module is not compiled if OpenSSL is not available.
 #ifdef HAVE_OPENSSL
 
-#ifndef OPENSSL_NO_KRB5
-#define OPENSSL_NO_KRB5
-#endif
-
 #include "referenceCount.h"
-#include "openSSLWrapper.h"  // must be included before any other openssl.
-#include "openssl/ssl.h"
 
 #ifdef _WIN32
 #include <winsock2.h>
@@ -35,6 +29,8 @@
 #include <netinet/in.h>
 #endif
 
+typedef struct bio_st BIO;
+
 class URLSpec;
 
 /**
@@ -52,7 +48,7 @@ public:
   void set_nbio(bool nbio);
   bool connect();
 
-  INLINE bool should_retry() const;
+  bool should_retry() const;
 
   INLINE BIO &operator *() const;
   INLINE BIO *operator -> () const;

panda/src/downloader/bioStreamBuf.h

@@ -19,14 +19,8 @@
 // This module is not compiled if OpenSSL is not available.
 #ifdef HAVE_OPENSSL
 
-#ifndef OPENSSL_NO_KRB5
-#define OPENSSL_NO_KRB5
-#endif
-
 #include "bioPtr.h"
 #include "pointerTo.h"
-#include "openSSLWrapper.h"  // must be included before any other openssl.
-#include "openssl/ssl.h"
 
 /**
  * The streambuf object that implements IBioStream.

panda/src/downloader/bioStreamPtr.h

@@ -19,14 +19,8 @@
 // This module is not compiled if OpenSSL is not available.
 #ifdef HAVE_OPENSSL
 
-#ifndef OPENSSL_NO_KRB5
-#define OPENSSL_NO_KRB5
-#endif
-
 #include "bioStream.h"
 #include "referenceCount.h"
-#include "openSSLWrapper.h"  // must be included before any other openssl.
-#include "openssl/ssl.h"
 
 /**
  * A wrapper around an BioStream object to make a reference-counting pointer

panda/src/downloader/httpChannel.cxx

@@ -27,6 +27,8 @@
 
 #ifdef HAVE_OPENSSL
 
+#include "openSSLWrapper.h"
+
 #if defined(WIN32_VC) || defined(WIN64_VC)
   #include <WinSock2.h>
   #include <windows.h>  // for select()

panda/src/downloader/httpChannel.h

@@ -22,10 +22,6 @@
 
 #ifdef HAVE_OPENSSL
 
-#ifndef OPENSSL_NO_KRB5
-#define OPENSSL_NO_KRB5
-#endif
-
 #include "httpClient.h"
 #include "httpEnum.h"
 #include "urlSpec.h"
@@ -37,10 +33,10 @@
 #include "pointerTo.h"
 #include "config_downloader.h"
 #include "filename.h"
-#include "openSSLWrapper.h"  // must be included before any other openssl.
-#include "openssl/ssl.h"
 #include "typedReferenceCount.h"
 
+typedef struct bio_st BIO;
+
 class Ramfile;
 class HTTPClient;
 

panda/src/downloader/httpClient.cxx

@@ -24,6 +24,8 @@
 
 #ifdef HAVE_OPENSSL
 
+#include "openSSLWrapper.h"
+
 PT(HTTPClient) HTTPClient::_global_ptr;
 
 /**
@@ -68,6 +70,68 @@ tokenize(const string &str, vector_string &words, const string &delimiters) {
   words.push_back(string());
 }
 
+#ifndef NDEBUG
+/**
+ * This method is attached as a callback for SSL messages only when debug
+ * output is enabled.
+ */
+static void
+ssl_msg_callback(int write_p, int version, int content_type,
+                 const void *, size_t len, SSL *, void *) {
+  ostringstream describe;
+  if (write_p) {
+    describe << "sent ";
+  } else {
+    describe << "received ";
+  }
+  switch (version) {
+  case SSL2_VERSION:
+    describe << "SSL 2.0 ";
+    break;
+
+  case SSL3_VERSION:
+    describe << "SSL 3.0 ";
+    break;
+
+  case TLS1_VERSION:
+    describe << "TLS 1.0 ";
+    break;
+
+  default:
+    describe << "unknown protocol ";
+  }
+
+  describe << "message: ";
+
+  if (version != SSL2_VERSION) {
+    switch (content_type) {
+    case 20:
+      describe << "change cipher spec, ";
+      break;
+
+    case 21:
+      describe << "alert, ";
+      break;
+
+    case 22:
+      describe << "handshake, ";
+      break;
+
+    case 23:
+      describe << "application data, ";
+      break;
+
+    default:
+      describe << "unknown content type, ";
+    }
+  }
+
+  describe << len << " bytes.\n";
+
+  downloader_cat.debug() << describe.str();
+}
+#endif  // !defined(NDEBUG)
+
 /**
  *
  */
@@ -1564,68 +1628,6 @@ split_whitespace(string &a, string &b, const string &c) {
   b = c.substr(p);
 }
 
-#ifndef NDEBUG
-/**
- * This method is attached as a callback for SSL messages only when debug
- * output is enabled.
- */
-void HTTPClient::
-ssl_msg_callback(int write_p, int version, int content_type,
-                 const void *, size_t len, SSL *, void *) {
-  ostringstream describe;
-  if (write_p) {
-    describe << "sent ";
-  } else {
-    describe << "received ";
-  }
-  switch (version) {
-  case SSL2_VERSION:
-    describe << "SSL 2.0 ";
-    break;
-
-  case SSL3_VERSION:
-    describe << "SSL 3.0 ";
-    break;
-
-  case TLS1_VERSION:
-    describe << "TLS 1.0 ";
-    break;
-
-  default:
-    describe << "unknown protocol ";
-  }
-
-  describe << "message: ";
-
-  if (version != SSL2_VERSION) {
-    switch (content_type) {
-    case 20:
-      describe << "change cipher spec, ";
-      break;
-
-    case 21:
-      describe << "alert, ";
-      break;
-
-    case 22:
-      describe << "handshake, ";
-      break;
-
-    case 23:
-      describe << "application data, ";
-      break;
-
-    default:
-      describe << "unknown content type, ";
-    }
-  }
-
-  describe << len << " bytes.\n";
-
-  downloader_cat.debug() << describe.str();
-}
-#endif  // !defined(NDEBUG)
-
 /**
  *
  */

panda/src/downloader/httpClient.h

@@ -32,7 +32,11 @@
 #include "pmap.h"
 #include "pset.h"
 #include "referenceCount.h"
-#include "openSSLWrapper.h"
+
+typedef struct ssl_ctx_st SSL_CTX;
+typedef struct x509_st X509;
+typedef struct X509_name_st X509_NAME;
+typedef struct evp_pkey_st EVP_PKEY;
 
 class Filename;
 class HTTPChannel;
@@ -155,12 +159,6 @@ private:
 
   static void split_whitespace(string &a, string &b, const string &c);
 
-#ifndef NDEBUG
-  static void ssl_msg_callback(int write_p, int version, int content_type,
-                               const void *buf, size_t len, SSL *ssl,
-                               void *arg);
-#endif
-
   typedef pvector<URLSpec> Proxies;
   typedef pmap<string, Proxies> ProxiesByScheme;
   ProxiesByScheme _proxies_by_scheme;

panda/src/express/multifile.cxx

@@ -26,6 +26,8 @@
 #include <iterator>
 #include <time.h>
 
+#include "openSSLWrapper.h"
+
 // This sequence of bytes begins each Multifile to identify it as a Multifile.
 const char Multifile::_header[] = "pmf\0\n\r";
 const size_t Multifile::_header_size = 6;
@@ -768,43 +770,6 @@ add_signature(const Filename &composite, const string &password) {
 }
 #endif  // HAVE_OPENSSL
 
-#ifdef HAVE_OPENSSL
-/**
- * Adds a new signature to the Multifile.  This signature associates the
- * indicated certificate with the current contents of the Multifile.  When the
- * Multifile is read later, the signature will still be present only if the
- * Multifile is unchanged; any subsequent changes to the Multifile will
- * automatically invalidate and remove the signature.
- *
- * If chain is non-NULL, it represents the certificate chain that validates
- * the certificate.
- *
- * The specified private key must match the certificate, and the Multifile
- * must be open in read-write mode.  The private key is only used for
- * generating the signature; it is not written to the Multifile and cannot be
- * retrieved from the Multifile later.  (However, the certificate *can* be
- * retrieved from the Multifile later, to identify the entity that created the
- * signature.)
- *
- * This implicitly causes a repack() operation if one is needed.  Returns true
- * on success, false on failure.
- */
-bool Multifile::
-add_signature(X509 *certificate, STACK_OF(X509) *chain, EVP_PKEY *pkey) {
-  // Convert the certificate and chain into our own CertChain structure.
-  CertChain cert_chain;
-  cert_chain.push_back(CertRecord(certificate));
-  if (chain != NULL) {
-    int num = sk_X509_num(chain);
-    for (int i = 0; i < num; ++i) {
-      cert_chain.push_back(CertRecord((X509 *)sk_X509_value(chain, i)));
-    }
-  }
-
-  return add_signature(cert_chain, pkey);
-}
-#endif  // HAVE_OPENSSL
-
 #ifdef HAVE_OPENSSL
 /**
  * Adds a new signature to the Multifile.  This signature associates the

panda/src/express/multifile.h

@@ -24,7 +24,11 @@
 #include "indirectLess.h"
 #include "referenceCount.h"
 #include "pvector.h"
-#include "openSSLWrapper.h"
+
+#ifdef HAVE_OPENSSL
+typedef struct x509_st X509;
+typedef struct evp_pkey_st EVP_PKEY;
+#endif
 
 /**
  * A file that contains a set of files.
@@ -148,7 +152,6 @@ public:
   };
   typedef pvector<CertRecord> CertChain;
 
-  bool add_signature(X509 *certificate, STACK_OF(X509) *chain, EVP_PKEY *pkey);
   bool add_signature(const CertChain &chain, EVP_PKEY *pkey);
 
   const CertChain &get_signature(int n) const;