commit 170a4b383f8d4e2f18e6d23dbd6679ab73a07303
author David Benjamin <davidben@webrtc.org> Wed Jan 30 15:46:16 2019
committer Commit Bot <commit-bot@chromium.org> Wed Jan 30 17:09:49 2019
tree 71cb707516b33633c500a9732b705117852a18ad
parent 71f94c93a63d8a18f8dc0b71ac3cffc005d789ee

Trim unnecessary OpenSSL/BoringSSL ifdefs.

Now that WebRTC requires OpenSSL 1.1.0 as minimum, some bits can be
removed. The simpler versioning API is shared between BoringSSL and
OpenSSL 1.1.0, and there are some remnants of the threading callbacks
that can be removed.

Bug: none
Change-Id: I2078ca9c444b1f1efa9e4b235eb4e6037865d8fb
Reviewed-on: https://webrtc-review.googlesource.com/c/120261
Commit-Queue: David Benjamin <davidben@webrtc.org>
Reviewed-by: Karl Wiberg <kwiberg@webrtc.org>
Reviewed-by: Benjamin Wright <benwright@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#26475}

rtc_base/openssl_stream_adapter.cc

diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc
index 0245976..bbb2dce 100644
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@@ -819,20 +819,6 @@
   SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
                          SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 
-#if !defined(OPENSSL_IS_BORINGSSL)
-  // Specify an ECDH group for ECDHE ciphers, otherwise OpenSSL cannot
-  // negotiate them when acting as the server. Use NIST's P-256 which is
-  // commonly supported. BoringSSL doesn't need explicit configuration and has
-  // a reasonable default set.
-  EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-  if (ecdh == nullptr) {
-    return -1;
-  }
-  SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE);
-  SSL_set_tmp_ecdh(ssl_, ecdh);
-  EC_KEY_free(ecdh);
-#endif
-
   // Do the connect
   return ContinueSSL();
 }
@@ -966,57 +952,14 @@
 }
 
 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
-  SSL_CTX* ctx = nullptr;
-
-#ifdef OPENSSL_IS_BORINGSSL
-  ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
-// Version limiting for BoringSSL will be done below.
-#else
-  const SSL_METHOD* method;
-  switch (ssl_max_version_) {
-    case SSL_PROTOCOL_TLS_10:
-    case SSL_PROTOCOL_TLS_11:
-      // OpenSSL doesn't support setting min/max versions, so we always use
-      // (D)TLS 1.0 if a max. version below the max. available is requested.
-      if (ssl_mode_ == SSL_MODE_DTLS) {
-        if (role_ == SSL_CLIENT) {
-          method = DTLSv1_client_method();
-        } else {
-          method = DTLSv1_server_method();
-        }
-      } else {
-        if (role_ == SSL_CLIENT) {
-          method = TLSv1_client_method();
-        } else {
-          method = TLSv1_server_method();
-        }
-      }
-      break;
-    case SSL_PROTOCOL_TLS_12:
-    default:
-      if (ssl_mode_ == SSL_MODE_DTLS) {
-        if (role_ == SSL_CLIENT) {
-          method = DTLS_client_method();
-        } else {
-          method = DTLS_server_method();
-        }
-      } else {
-        if (role_ == SSL_CLIENT) {
-          method = TLS_client_method();
-        } else {
-          method = TLS_server_method();
-        }
-      }
-      break;
-  }
-  ctx = SSL_CTX_new(method);
-#endif  // OPENSSL_IS_BORINGSSL
-
+  SSL_CTX* ctx =
+      SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
   if (ctx == nullptr) {
     return nullptr;
   }
 
-#ifdef OPENSSL_IS_BORINGSSL
+  // TODO(https://bugs.webrtc.org/10261): Evaluate and drop (D)TLS 1.0 and 1.1
+  // support by default.
   SSL_CTX_set_min_proto_version(
       ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
   switch (ssl_max_version_) {
@@ -1034,6 +977,8 @@
           ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
       break;
   }
+#ifdef OPENSSL_IS_BORINGSSL
+  // SSL_CTX_set_current_time_cb is only supported in BoringSSL.
   if (g_use_time_callback_for_testing) {
     SSL_CTX_set_current_time_cb(ctx, &TimeCallbackForTesting);
   }