diff options
Diffstat (limited to 'linux-x86/include')
25 files changed, 1086 insertions, 699 deletions
diff --git a/linux-x86/include/openssl/aead.h b/linux-x86/include/openssl/aead.h index 2633880..376bff1 100644 --- a/linux-x86/include/openssl/aead.h +++ b/linux-x86/include/openssl/aead.h @@ -138,12 +138,10 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void); // authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void); -// EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See -// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 +// EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See RFC 8452. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void); -// EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See -// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 +// EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See RFC 8452. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void); // EVP_aead_aes_128_gcm_randnonce is AES-128 in Galois Counter Mode with @@ -212,7 +210,7 @@ OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead); // AEAD operations. union evp_aead_ctx_st_state { - uint8_t opaque[580]; + uint8_t opaque[564]; uint64_t alignment; }; @@ -402,6 +400,8 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx); OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void); OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void); +OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void); + OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void); OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void); diff --git a/linux-x86/include/openssl/arm_arch.h b/linux-x86/include/openssl/arm_arch.h index 7215f62..60b30f5 100644 --- a/linux-x86/include/openssl/arm_arch.h +++ b/linux-x86/include/openssl/arm_arch.h @@ -53,12 +53,13 @@ #ifndef OPENSSL_HEADER_ARM_ARCH_H #define OPENSSL_HEADER_ARM_ARCH_H +#include <openssl/target.h> + // arm_arch.h contains symbols used by ARM assembly, and the C code that calls // it. It is included as a public header to simplify the build, but is not // intended for external use. -#if defined(__ARMEL__) || defined(_M_ARM) || defined(__AARCH64EL__) || \ - defined(_M_ARM64) +#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) // ARMV7_NEON is true when a NEON unit is present in the current CPU. #define ARMV7_NEON (1 << 0) @@ -97,124 +98,8 @@ // will be included. #define __ARM_MAX_ARCH__ 8 -// Support macros for -// - Armv8.3-A Pointer Authentication and -// - Armv8.5-A Branch Target Identification -// features which require emitting a .note.gnu.property section with the -// appropriate architecture-dependent feature bits set. -// -// |AARCH64_SIGN_LINK_REGISTER| and |AARCH64_VALIDATE_LINK_REGISTER| expand to -// PACIxSP and AUTIxSP, respectively. |AARCH64_SIGN_LINK_REGISTER| should be -// used immediately before saving the LR register (x30) to the stack. -// |AARCH64_VALIDATE_LINK_REGISTER| should be used immediately after restoring -// it. Note |AARCH64_SIGN_LINK_REGISTER|'s modifications to LR must be undone -// with |AARCH64_VALIDATE_LINK_REGISTER| before RET. The SP register must also -// have the same value at the two points. For example: -// -// .global f -// f: -// AARCH64_SIGN_LINK_REGISTER -// stp x29, x30, [sp, #-96]! -// mov x29, sp -// ... -// ldp x29, x30, [sp], #96 -// AARCH64_VALIDATE_LINK_REGISTER -// ret -// -// |AARCH64_VALID_CALL_TARGET| expands to BTI 'c'. Either it, or -// |AARCH64_SIGN_LINK_REGISTER|, must be used at every point that may be an -// indirect call target. In particular, all symbols exported from a file must -// begin with one of these macros. For example, a leaf function that does not -// save LR can instead use |AARCH64_VALID_CALL_TARGET|: -// -// .globl return_zero -// return_zero: -// AARCH64_VALID_CALL_TARGET -// mov x0, #0 -// ret -// -// A non-leaf function which does not immediately save LR may need both macros -// because |AARCH64_SIGN_LINK_REGISTER| appears late. For example, the function -// may jump to an alternate implementation before setting up the stack: -// -// .globl with_early_jump -// with_early_jump: -// AARCH64_VALID_CALL_TARGET -// cmp x0, #128 -// b.lt .Lwith_early_jump_128 -// AARCH64_SIGN_LINK_REGISTER -// stp x29, x30, [sp, #-96]! -// mov x29, sp -// ... -// ldp x29, x30, [sp], #96 -// AARCH64_VALIDATE_LINK_REGISTER -// ret -// -// .Lwith_early_jump_128: -// ... -// ret -// -// These annotations are only required with indirect calls. Private symbols that -// are only the target of direct calls do not require annotations. Also note -// that |AARCH64_VALID_CALL_TARGET| is only valid for indirect calls (BLR), not -// indirect jumps (BR). Indirect jumps in assembly are currently not supported -// and would require a macro for BTI 'j'. -// -// Although not necessary, it is safe to use these macros in 32-bit ARM -// assembly. This may be used to simplify dual 32-bit and 64-bit files. -// -// References: -// - "ELF for the ArmĀ® 64-bit Architecture" -// https://github.com/ARM-software/abi-aa/blob/master/aaelf64/aaelf64.rst -// - "Providing protection for complex software" -// https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software - -#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 -#define GNU_PROPERTY_AARCH64_BTI (1 << 0) // Has Branch Target Identification -#define AARCH64_VALID_CALL_TARGET hint #34 // BTI 'c' -#else -#define GNU_PROPERTY_AARCH64_BTI 0 // No Branch Target Identification -#define AARCH64_VALID_CALL_TARGET -#endif - -#if defined(__ARM_FEATURE_PAC_DEFAULT) && \ - (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 // Signed with A-key -#define GNU_PROPERTY_AARCH64_POINTER_AUTH \ - (1 << 1) // Has Pointer Authentication -#define AARCH64_SIGN_LINK_REGISTER hint #25 // PACIASP -#define AARCH64_VALIDATE_LINK_REGISTER hint #29 // AUTIASP -#elif defined(__ARM_FEATURE_PAC_DEFAULT) && \ - (__ARM_FEATURE_PAC_DEFAULT & 2) == 2 // Signed with B-key -#define GNU_PROPERTY_AARCH64_POINTER_AUTH \ - (1 << 1) // Has Pointer Authentication -#define AARCH64_SIGN_LINK_REGISTER hint #27 // PACIBSP -#define AARCH64_VALIDATE_LINK_REGISTER hint #31 // AUTIBSP -#else -#define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 // No Pointer Authentication -#if GNU_PROPERTY_AARCH64_BTI != 0 -#define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET -#else -#define AARCH64_SIGN_LINK_REGISTER -#endif -#define AARCH64_VALIDATE_LINK_REGISTER -#endif - -#if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0 -.pushsection .note.gnu.property, "a"; -.balign 8; -.long 4; -.long 0x10; -.long 0x5; -.asciz "GNU"; -.long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ -.long 4; -.long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI); -.long 0; -.popsection; -#endif - #endif // __ASSEMBLER__ -#endif // __ARMEL__ || _M_ARM || __AARCH64EL__ || _M_ARM64 +#endif // ARM || AARCH64 #endif // OPENSSL_HEADER_ARM_ARCH_H diff --git a/linux-x86/include/openssl/asm_base.h b/linux-x86/include/openssl/asm_base.h new file mode 100644 index 0000000..9eb3181 --- /dev/null +++ b/linux-x86/include/openssl/asm_base.h @@ -0,0 +1,207 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_ASM_BASE_H +#define OPENSSL_HEADER_ASM_BASE_H + +#include <openssl/target.h> + + +// This header contains symbols and common sections used by assembly files. It +// is included as a public header to simplify the build, but is not intended for +// external use. +// +// Every assembly file must include this header. Some linker features require +// all object files to be tagged with some section metadata. This header file, +// when included in assembly, adds that metadata. It also makes defines like +// |OPENSSL_X86_64| available and includes the prefixing macros. +// +// Including this header in an assembly file imples: +// +// - The file does not require an executable stack. +// +// - The file, on aarch64, uses the macros defined below to be compatible with +// BTI and PAC. +// +// - The file, on x86_64, requires the program to be compatible with Intel IBT +// and SHSTK + +#if defined(__ASSEMBLER__) + +#if defined(BORINGSSL_PREFIX) +#include <boringssl_prefix_symbols_asm.h> +#endif + +#if defined(__ELF__) +// Every ELF object file, even empty ones, should disable executable stacks. See +// https://www.airs.com/blog/archives/518. +.pushsection .note.GNU-stack, "", %progbits +.popsection +#endif + +#if defined(__CET__) && defined(OPENSSL_X86_64) +// Clang and GCC define __CET__ and provide <cet.h> when they support Intel's +// Indirect Branch Tracking. +// https://lpc.events/event/7/contributions/729/attachments/496/903/CET-LPC-2020.pdf +// +// cet.h defines _CET_ENDBR which is used to mark function entry points for IBT. +// and adds the assembly marker. The value of _CET_ENDBR is made dependant on if +// '-fcf-protection' is passed to the compiler. _CET_ENDBR is only required when +// the function is the target of an indirect jump, but BoringSSL chooses to mark +// all assembly entry points because it is easier, and allows BoringSSL's ABI +// tester to call the assembly entry points via an indirect jump. +#include <cet.h> +#else +#define _CET_ENDBR +#endif + +#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) + +// We require the ARM assembler provide |__ARM_ARCH| from Arm C Language +// Extensions (ACLE). This is supported in GCC 4.8+ and Clang 3.2+. MSVC does +// not implement ACLE, but we require Clang's assembler on Windows. +#if !defined(__ARM_ARCH) +#error "ARM assembler must define __ARM_ARCH" +#endif + +// __ARM_ARCH__ is used by OpenSSL assembly to determine the minimum target ARM +// version. +// +// TODO(davidben): Switch the assembly to use |__ARM_ARCH| directly. +#define __ARM_ARCH__ __ARM_ARCH + +// Even when building for 32-bit ARM, support for aarch64 crypto instructions +// will be included. +#define __ARM_MAX_ARCH__ 8 + +// Support macros for +// - Armv8.3-A Pointer Authentication and +// - Armv8.5-A Branch Target Identification +// features which require emitting a .note.gnu.property section with the +// appropriate architecture-dependent feature bits set. +// +// |AARCH64_SIGN_LINK_REGISTER| and |AARCH64_VALIDATE_LINK_REGISTER| expand to +// PACIxSP and AUTIxSP, respectively. |AARCH64_SIGN_LINK_REGISTER| should be +// used immediately before saving the LR register (x30) to the stack. +// |AARCH64_VALIDATE_LINK_REGISTER| should be used immediately after restoring +// it. Note |AARCH64_SIGN_LINK_REGISTER|'s modifications to LR must be undone +// with |AARCH64_VALIDATE_LINK_REGISTER| before RET. The SP register must also +// have the same value at the two points. For example: +// +// .global f +// f: +// AARCH64_SIGN_LINK_REGISTER +// stp x29, x30, [sp, #-96]! +// mov x29, sp +// ... +// ldp x29, x30, [sp], #96 +// AARCH64_VALIDATE_LINK_REGISTER +// ret +// +// |AARCH64_VALID_CALL_TARGET| expands to BTI 'c'. Either it, or +// |AARCH64_SIGN_LINK_REGISTER|, must be used at every point that may be an +// indirect call target. In particular, all symbols exported from a file must +// begin with one of these macros. For example, a leaf function that does not +// save LR can instead use |AARCH64_VALID_CALL_TARGET|: +// +// .globl return_zero +// return_zero: +// AARCH64_VALID_CALL_TARGET +// mov x0, #0 +// ret +// +// A non-leaf function which does not immediately save LR may need both macros +// because |AARCH64_SIGN_LINK_REGISTER| appears late. For example, the function +// may jump to an alternate implementation before setting up the stack: +// +// .globl with_early_jump +// with_early_jump: +// AARCH64_VALID_CALL_TARGET +// cmp x0, #128 +// b.lt .Lwith_early_jump_128 +// AARCH64_SIGN_LINK_REGISTER +// stp x29, x30, [sp, #-96]! +// mov x29, sp +// ... +// ldp x29, x30, [sp], #96 +// AARCH64_VALIDATE_LINK_REGISTER +// ret +// +// .Lwith_early_jump_128: +// ... +// ret +// +// These annotations are only required with indirect calls. Private symbols that +// are only the target of direct calls do not require annotations. Also note +// that |AARCH64_VALID_CALL_TARGET| is only valid for indirect calls (BLR), not +// indirect jumps (BR). Indirect jumps in assembly are currently not supported +// and would require a macro for BTI 'j'. +// +// Although not necessary, it is safe to use these macros in 32-bit ARM +// assembly. This may be used to simplify dual 32-bit and 64-bit files. +// +// References: +// - "ELF for the ArmĀ® 64-bit Architecture" +// https://github.com/ARM-software/abi-aa/blob/master/aaelf64/aaelf64.rst +// - "Providing protection for complex software" +// https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software + +#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 +#define GNU_PROPERTY_AARCH64_BTI (1 << 0) // Has Branch Target Identification +#define AARCH64_VALID_CALL_TARGET hint #34 // BTI 'c' +#else +#define GNU_PROPERTY_AARCH64_BTI 0 // No Branch Target Identification +#define AARCH64_VALID_CALL_TARGET +#endif + +#if defined(__ARM_FEATURE_PAC_DEFAULT) && \ + (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 // Signed with A-key +#define GNU_PROPERTY_AARCH64_POINTER_AUTH \ + (1 << 1) // Has Pointer Authentication +#define AARCH64_SIGN_LINK_REGISTER hint #25 // PACIASP +#define AARCH64_VALIDATE_LINK_REGISTER hint #29 // AUTIASP +#elif defined(__ARM_FEATURE_PAC_DEFAULT) && \ + (__ARM_FEATURE_PAC_DEFAULT & 2) == 2 // Signed with B-key +#define GNU_PROPERTY_AARCH64_POINTER_AUTH \ + (1 << 1) // Has Pointer Authentication +#define AARCH64_SIGN_LINK_REGISTER hint #27 // PACIBSP +#define AARCH64_VALIDATE_LINK_REGISTER hint #31 // AUTIBSP +#else +#define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 // No Pointer Authentication +#if GNU_PROPERTY_AARCH64_BTI != 0 +#define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET +#else +#define AARCH64_SIGN_LINK_REGISTER +#endif +#define AARCH64_VALIDATE_LINK_REGISTER +#endif + +#if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0 +.pushsection .note.gnu.property, "a"; +.balign 8; +.long 4; +.long 0x10; +.long 0x5; +.asciz "GNU"; +.long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ +.long 4; +.long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI); +.long 0; +.popsection; +#endif +#endif // ARM || AARCH64 + +#endif // __ASSEMBLER__ + +#endif // OPENSSL_HEADER_ASM_BASE_H diff --git a/linux-x86/include/openssl/asn1.h b/linux-x86/include/openssl/asn1.h index d128c8d..c9f265a 100644 --- a/linux-x86/include/openssl/asn1.h +++ b/linux-x86/include/openssl/asn1.h @@ -1355,6 +1355,11 @@ OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime( // GeneralizedTime. If |str| is neither, it returns zero. OPENSSL_EXPORT int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); +// ASN1_TIME_set_string_X509 behaves like |ASN1_TIME_set_string| except it +// additionally converts GeneralizedTime to UTCTime if it is in the range where +// UTCTime is used. See RFC 5280, section 4.1.2.5. +OPENSSL_EXPORT int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str); + // ASN1_TIME_to_time_t converts |t| to a time_t value in |out|. On // success, one is returned. On failure zero is returned. This function // will fail if the time can not be represented in a time_t. diff --git a/linux-x86/include/openssl/base.h b/linux-x86/include/openssl/base.h index 80d18a7..87ffe21 100644 --- a/linux-x86/include/openssl/base.h +++ b/linux-x86/include/openssl/base.h @@ -74,6 +74,7 @@ // opensslconf.h. #include <openssl/is_boringssl.h> #include <openssl/opensslconf.h> +#include <openssl/target.h> // IWYU pragma: export #if defined(BORINGSSL_PREFIX) #include <boringssl_prefix_symbols.h> @@ -84,48 +85,7 @@ extern "C" { #endif -#if defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) -#define OPENSSL_64_BIT -#define OPENSSL_X86_64 -#elif defined(__x86) || defined(__i386) || defined(__i386__) || defined(_M_IX86) -#define OPENSSL_32_BIT -#define OPENSSL_X86 -#elif defined(__AARCH64EL__) || defined(_M_ARM64) -#define OPENSSL_64_BIT -#define OPENSSL_AARCH64 -#elif defined(__ARMEL__) || defined(_M_ARM) -#define OPENSSL_32_BIT -#define OPENSSL_ARM -#elif defined(__MIPSEL__) && !defined(__LP64__) -#define OPENSSL_32_BIT -#define OPENSSL_MIPS -#elif defined(__MIPSEL__) && defined(__LP64__) -#define OPENSSL_64_BIT -#define OPENSSL_MIPS64 -#elif defined(__riscv) && __SIZEOF_POINTER__ == 8 -#define OPENSSL_64_BIT -#define OPENSSL_RISCV64 -#elif defined(__riscv) && __SIZEOF_POINTER__ == 4 -#define OPENSSL_32_BIT -#elif defined(__pnacl__) -#define OPENSSL_32_BIT -#define OPENSSL_PNACL -#elif defined(__wasm__) -#define OPENSSL_32_BIT -#elif defined(__asmjs__) -#define OPENSSL_32_BIT -#elif defined(__myriad2__) -#define OPENSSL_32_BIT -#else -// Note BoringSSL only supports standard 32-bit and 64-bit two's-complement, -// little-endian architectures. Functions will not produce the correct answer -// on other systems. Run the crypto_test binary, notably -// crypto/compiler_test.cc, before adding a new architecture. -#error "Unknown target CPU" -#endif - #if defined(__APPLE__) -#define OPENSSL_APPLE // Note |TARGET_OS_MAC| is set for all Apple OS variants. |TARGET_OS_OSX| // targets macOS specifically. #if defined(TARGET_OS_OSX) && TARGET_OS_OSX @@ -136,51 +96,6 @@ extern "C" { #endif #endif -#if defined(_WIN32) -#define OPENSSL_WINDOWS -#endif - -// Trusty isn't Linux but currently defines __linux__. As a workaround, we -// exclude it here. -// TODO(b/169780122): Remove this workaround once Trusty no longer defines it. -#if defined(__linux__) && !defined(__TRUSTY__) -#define OPENSSL_LINUX -#endif - -#if defined(__Fuchsia__) -#define OPENSSL_FUCHSIA -#endif - -#if defined(__TRUSTY__) -#define OPENSSL_TRUSTY -#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED -#endif - -#if defined(__ANDROID_API__) -#define OPENSSL_ANDROID -#endif - -#if defined(__FreeBSD__) -#define OPENSSL_FREEBSD -#endif - -// BoringSSL requires platform's locking APIs to make internal global state -// thread-safe, including the PRNG. On some single-threaded embedded platforms, -// locking APIs may not exist, so this dependency may be disabled with the -// following build flag. -// -// IMPORTANT: Doing so means the consumer promises the library will never be -// used in any multi-threaded context. It causes BoringSSL to be globally -// thread-unsafe. Setting it inappropriately will subtly and unpredictably -// corrupt memory and leak secret keys. -// -// Do not set this flag on any platform where threads are possible. BoringSSL -// maintainers will not provide support for any consumers that do so. Changes -// which break such unsupported configurations will not be reverted. -#if !defined(OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED) -#define OPENSSL_THREADS -#endif - #define OPENSSL_IS_BORINGSSL #define OPENSSL_VERSION_NUMBER 0x1010107f #define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER @@ -193,7 +108,7 @@ extern "C" { // A consumer may use this symbol in the preprocessor to temporarily build // against multiple revisions of BoringSSL at the same time. It is not // recommended to do so for longer than is necessary. -#define BORINGSSL_API_VERSION 19 +#define BORINGSSL_API_VERSION 25 #if defined(BORINGSSL_SHARED_LIBRARY) @@ -307,31 +222,6 @@ extern "C" { #define OPENSSL_INLINE static inline OPENSSL_UNUSED #endif -#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) && \ - !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) -#define BORINGSSL_UNSAFE_DETERMINISTIC_MODE -#endif - -#if defined(__has_feature) -#if __has_feature(address_sanitizer) -#define OPENSSL_ASAN -#endif -#if __has_feature(thread_sanitizer) -#define OPENSSL_TSAN -#endif -#if __has_feature(memory_sanitizer) -#define OPENSSL_MSAN -#define OPENSSL_ASM_INCOMPATIBLE -#endif -#endif - -#if defined(OPENSSL_ASM_INCOMPATIBLE) -#undef OPENSSL_ASM_INCOMPATIBLE -#if !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif // OPENSSL_ASM_INCOMPATIBLE - #if defined(__cplusplus) // enums can be predeclared, but only in C++ and only if given an explicit type. // C doesn't support setting an explicit type for enums thus a #define is used diff --git a/linux-x86/include/openssl/blake2.h b/linux-x86/include/openssl/blake2.h index 9ec1e6c..03e3a46 100644 --- a/linux-x86/include/openssl/blake2.h +++ b/linux-x86/include/openssl/blake2.h @@ -28,10 +28,7 @@ extern "C" { struct blake2b_state_st { uint64_t h[8]; uint64_t t_low, t_high; - union { - uint8_t bytes[BLAKE2B_CBLOCK]; - uint64_t words[16]; - } block; + uint8_t block[BLAKE2B_CBLOCK]; size_t block_used; }; diff --git a/linux-x86/include/openssl/bn.h b/linux-x86/include/openssl/bn.h index a03e41f..0361645 100644 --- a/linux-x86/include/openssl/bn.h +++ b/linux-x86/include/openssl/bn.h @@ -160,14 +160,12 @@ extern "C" { typedef uint64_t BN_ULONG; #define BN_BITS2 64 #define BN_DEC_FMT1 "%" PRIu64 -#define BN_DEC_FMT2 "%019" PRIu64 #define BN_HEX_FMT1 "%" PRIx64 #define BN_HEX_FMT2 "%016" PRIx64 #elif defined(OPENSSL_32_BIT) typedef uint32_t BN_ULONG; #define BN_BITS2 32 #define BN_DEC_FMT1 "%" PRIu32 -#define BN_DEC_FMT2 "%09" PRIu32 #define BN_HEX_FMT1 "%" PRIx32 #define BN_HEX_FMT2 "%08" PRIx32 #else diff --git a/linux-x86/include/openssl/chacha.h b/linux-x86/include/openssl/chacha.h index cfbaa75..2868c29 100644 --- a/linux-x86/include/openssl/chacha.h +++ b/linux-x86/include/openssl/chacha.h @@ -29,6 +29,12 @@ extern "C" { // CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and // nonce and writes the result to |out|. If |in| and |out| alias, they must be // equal. The initial block counter is specified by |counter|. +// +// This function implements a 32-bit block counter as in RFC 8439. On overflow, +// the counter wraps. Reusing a key, nonce, and block counter combination is not +// secure, so wrapping is usually a bug in the caller. While it is possible to +// wrap without reuse with a large initial block counter, this is not +// recommended and may not be portable to other ChaCha20 implementations. OPENSSL_EXPORT void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, const uint8_t key[32], const uint8_t nonce[12], uint32_t counter); diff --git a/linux-x86/include/openssl/conf.h b/linux-x86/include/openssl/conf.h index 908c16e..c9027c1 100644 --- a/linux-x86/include/openssl/conf.h +++ b/linux-x86/include/openssl/conf.h @@ -77,7 +77,10 @@ extern "C" { // [section_name] // key2=value2 // -// Config files are represented by a |CONF|. +// Config files are represented by a |CONF|. Use of this module is strongly +// discouraged. It is a remnant of the OpenSSL command-line tool. Parsing an +// untrusted input as a config file risks string injection and denial of service +// vulnerabilities. struct conf_value_st { char *section; @@ -166,5 +169,6 @@ BSSL_NAMESPACE_END #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 104 #define CONF_R_VARIABLE_HAS_NO_VALUE 105 #define CONF_R_VARIABLE_EXPANSION_TOO_LONG 106 +#define CONF_R_VARIABLE_EXPANSION_NOT_SUPPORTED 107 #endif // OPENSSL_HEADER_THREAD_H diff --git a/linux-x86/include/openssl/dsa.h b/linux-x86/include/openssl/dsa.h index 30afd43..4075001 100644 --- a/linux-x86/include/openssl/dsa.h +++ b/linux-x86/include/openssl/dsa.h @@ -62,9 +62,7 @@ #include <openssl/base.h> -#include <openssl/engine.h> #include <openssl/ex_data.h> -#include <openssl/thread.h> #if defined(__cplusplus) extern "C" { @@ -398,25 +396,6 @@ OPENSSL_EXPORT DSA *DSA_generate_parameters(int bits, unsigned char *seed, void *cb_arg); -struct dsa_st { - long version; - BIGNUM *p; - BIGNUM *q; // == 20 - BIGNUM *g; - - BIGNUM *pub_key; // y public key - BIGNUM *priv_key; // x private key - - int flags; - // Normally used to cache montgomery values - CRYPTO_MUTEX method_mont_lock; - BN_MONT_CTX *method_mont_p; - BN_MONT_CTX *method_mont_q; - CRYPTO_refcount_t references; - CRYPTO_EX_DATA ex_data; -}; - - #if defined(__cplusplus) } // extern C diff --git a/linux-x86/include/openssl/ec.h b/linux-x86/include/openssl/ec.h index dd5259b..f1a77b2 100644 --- a/linux-x86/include/openssl/ec.h +++ b/linux-x86/include/openssl/ec.h @@ -101,8 +101,24 @@ typedef enum { // Elliptic curve groups. -// EC_GROUP_new_by_curve_name returns a fresh EC_GROUP object for the elliptic -// curve specified by |nid|, or NULL on unsupported NID or allocation failure. +// EC_group_p224 returns an |EC_GROUP| for P-224, also known as secp224r1. +OPENSSL_EXPORT const EC_GROUP *EC_group_p224(void); + +// EC_group_p256 returns an |EC_GROUP| for P-256, also known as secp256r1 or +// prime256v1. +OPENSSL_EXPORT const EC_GROUP *EC_group_p256(void); + +// EC_group_p384 returns an |EC_GROUP| for P-384, also known as secp384r1. +OPENSSL_EXPORT const EC_GROUP *EC_group_p384(void); + +// EC_group_p521 returns an |EC_GROUP| for P-521, also known as secp521r1. +OPENSSL_EXPORT const EC_GROUP *EC_group_p521(void); + +// EC_GROUP_new_by_curve_name returns the |EC_GROUP| object for the elliptic +// curve specified by |nid|, or NULL on unsupported NID. For OpenSSL +// compatibility, this function returns a non-const pointer which may be passed +// to |EC_GROUP_free|. However, the resulting object is actually static and +// calling |EC_GROUP_free| is optional. // // The supported NIDs are: // NID_secp224r1 (P-224), @@ -110,6 +126,9 @@ typedef enum { // NID_secp384r1 (P-384), // NID_secp521r1 (P-521) // +// Calling this function causes all four curves to be linked into the binary. +// Prefer calling |EC_group_*| to allow the static linker to drop unused curves. +// // If in doubt, use |NID_X9_62_prime256v1|, or see the curve25519.h header for // more modern primitives. OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_by_curve_name(int nid); diff --git a/linux-x86/include/openssl/ec_key.h b/linux-x86/include/openssl/ec_key.h index 00986cf..b7bc74c 100644 --- a/linux-x86/include/openssl/ec_key.h +++ b/linux-x86/include/openssl/ec_key.h @@ -259,8 +259,15 @@ OPENSSL_EXPORT int EC_KEY_marshal_private_key(CBB *cbb, const EC_KEY *key, unsigned enc_flags); // EC_KEY_parse_curve_name parses a DER-encoded OBJECT IDENTIFIER as a curve -// name from |cbs| and advances |cbs|. It returns a newly-allocated |EC_GROUP| -// or NULL on error. +// name from |cbs| and advances |cbs|. It returns the decoded |EC_GROUP| or NULL +// on error. +// +// This function returns a non-const pointer which may be passed to +// |EC_GROUP_free|. However, the resulting object is actually static and calling +// |EC_GROUP_free| is optional. +// +// TODO(davidben): Make this return a const pointer, if it does not break too +// many callers. OPENSSL_EXPORT EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs); // EC_KEY_marshal_curve_name marshals |group| as a DER-encoded OBJECT IDENTIFIER @@ -269,10 +276,16 @@ OPENSSL_EXPORT EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs); OPENSSL_EXPORT int EC_KEY_marshal_curve_name(CBB *cbb, const EC_GROUP *group); // EC_KEY_parse_parameters parses a DER-encoded ECParameters structure (RFC -// 5480) from |cbs| and advances |cbs|. It returns a newly-allocated |EC_GROUP| -// or NULL on error. It supports the namedCurve and specifiedCurve options, but -// use of specifiedCurve is deprecated. Use |EC_KEY_parse_curve_name| -// instead. +// 5480) from |cbs| and advances |cbs|. It returns the resulting |EC_GROUP| or +// NULL on error. It supports the namedCurve and specifiedCurve options, but use +// of specifiedCurve is deprecated. Use |EC_KEY_parse_curve_name| instead. +// +// This function returns a non-const pointer which may be passed to +// |EC_GROUP_free|. However, the resulting object is actually static and calling +// |EC_GROUP_free| is optional. +// +// TODO(davidben): Make this return a const pointer, if it does not break too +// many callers. OPENSSL_EXPORT EC_GROUP *EC_KEY_parse_parameters(CBS *cbs); diff --git a/linux-x86/include/openssl/evp.h b/linux-x86/include/openssl/evp.h index 00ae4f5..6f6eaa9 100644 --- a/linux-x86/include/openssl/evp.h +++ b/linux-x86/include/openssl/evp.h @@ -180,11 +180,6 @@ OPENSSL_EXPORT EC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey); #define EVP_PKEY_X25519 NID_X25519 #define EVP_PKEY_HKDF NID_hkdf -// EVP_PKEY_assign sets the underlying key of |pkey| to |key|, which must be of -// the given type. It returns one if successful or zero if the |type| argument -// is not one of the |EVP_PKEY_*| values or if |key| is NULL. -OPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); - // EVP_PKEY_set_type sets the type of |pkey| to |type|. It returns one if // successful or zero if the |type| argument is not one of the |EVP_PKEY_*| // values. If |pkey| is NULL, it simply reports whether the type is known. @@ -239,9 +234,9 @@ OPENSSL_EXPORT int EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key); // Raw keys // // Some keys types support a "raw" serialization. Currently the only supported -// raw format is Ed25519, where the public key and private key formats are those -// specified in RFC 8032. Note the RFC 8032 private key format is the 32-byte -// prefix of |ED25519_sign|'s 64-byte private key. +// raw formats are X25519 and Ed25519, where the formats are those specified in +// RFC 7748 and RFC 8032, respectively. Note the RFC 8032 private key format is +// the 32-byte prefix of |ED25519_sign|'s 64-byte private key. // EVP_PKEY_new_raw_private_key returns a newly allocated |EVP_PKEY| wrapping a // private key of the specified type. It returns one on success and zero on @@ -480,7 +475,7 @@ OPENSSL_EXPORT int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey, // returns one on success and zero on allocation failure or if iterations is 0. OPENSSL_EXPORT int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, const uint8_t *salt, size_t salt_len, - unsigned iterations, const EVP_MD *digest, + uint32_t iterations, const EVP_MD *digest, size_t key_len, uint8_t *out_key); // PKCS5_PBKDF2_HMAC_SHA1 is the same as PKCS5_PBKDF2_HMAC, but with |digest| @@ -488,7 +483,7 @@ OPENSSL_EXPORT int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, OPENSSL_EXPORT int PKCS5_PBKDF2_HMAC_SHA1(const char *password, size_t password_len, const uint8_t *salt, size_t salt_len, - unsigned iterations, size_t key_len, + uint32_t iterations, size_t key_len, uint8_t *out_key); // EVP_PBE_scrypt expands |password| into a secret key of length |key_len| using @@ -1032,6 +1027,15 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, OPENSSL_EXPORT int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits); +// EVP_PKEY_assign sets the underlying key of |pkey| to |key|, which must be of +// the given type. If successful, it returns one. If the |type| argument +// is not one of |EVP_PKEY_RSA|, |EVP_PKEY_DSA|, or |EVP_PKEY_EC| values or if +// |key| is NULL, it returns zero. This function may not be used with other +// |EVP_PKEY_*| types. +// +// Use the |EVP_PKEY_assign_*| functions instead. +OPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); + // Preprocessor compatibility section (hidden). // diff --git a/linux-x86/include/openssl/hpke.h b/linux-x86/include/openssl/hpke.h index 3ce6946..eaf5947 100644 --- a/linux-x86/include/openssl/hpke.h +++ b/linux-x86/include/openssl/hpke.h @@ -249,6 +249,34 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_recipient( const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len, const uint8_t *info, size_t info_len); +// EVP_HPKE_CTX_setup_auth_sender implements the SetupAuthS HPKE operation. It +// behaves like |EVP_HPKE_CTX_setup_sender| but authenticates the resulting +// context with |key|. +OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender( + EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, + const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, + const uint8_t *peer_public_key, size_t peer_public_key_len, + const uint8_t *info, size_t info_len); + +// EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing behaves like +// |EVP_HPKE_CTX_setup_auth_sender|, but takes a seed to behave +// deterministically. The seed's format depends on |kem|. For X25519, it is the +// sender's ephemeral private key. +OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing( + EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, + const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, + const uint8_t *peer_public_key, size_t peer_public_key_len, + const uint8_t *info, size_t info_len, const uint8_t *seed, size_t seed_len); + +// EVP_HPKE_CTX_setup_auth_recipient implements the SetupAuthR HPKE operation. +// It behaves like |EVP_HPKE_CTX_setup_recipient| but checks the resulting +// context was authenticated with |peer_public_key|. +OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_recipient( + EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, + const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len, + const uint8_t *info, size_t info_len, const uint8_t *peer_public_key, + size_t peer_public_key_len); + // Using an HPKE context. // diff --git a/linux-x86/include/openssl/nid.h b/linux-x86/include/openssl/nid.h index 64c9c9c..4dd8841 100644 --- a/linux-x86/include/openssl/nid.h +++ b/linux-x86/include/openssl/nid.h @@ -4252,14 +4252,8 @@ extern "C" { #define LN_hkdf "hkdf" #define NID_hkdf 963 -#define SN_X25519Kyber768 "X25519Kyber768" -#define NID_X25519Kyber768 964 - -#define SN_P256Kyber768 "P256Kyber768" -#define NID_P256Kyber768 965 - -#define SN_P384Kyber768 "P384Kyber768" -#define NID_P384Kyber768 966 +#define SN_X25519Kyber768Draft00 "X25519Kyber768Draft00" +#define NID_X25519Kyber768Draft00 964 #if defined(__cplusplus) diff --git a/linux-x86/include/openssl/rand.h b/linux-x86/include/openssl/rand.h index 586274d..6193c00 100644 --- a/linux-x86/include/openssl/rand.h +++ b/linux-x86/include/openssl/rand.h @@ -29,20 +29,6 @@ extern "C" { // event that sufficient random data can not be obtained, |abort| is called. OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len); -// RAND_get_system_entropy_for_custom_prng writes |len| bytes of random data -// from a system entropy source to |buf|. The maximum length of entropy which -// may be requested is 256 bytes. If more than 256 bytes of data is requested, -// or if sufficient random data can not be obtained, |abort| is called. -// |RAND_bytes| should normally be used instead of this function. This function -// should only be used for seed values or where |malloc| should not be called -// from BoringSSL. This function is not FIPS compliant. -OPENSSL_EXPORT void RAND_get_system_entropy_for_custom_prng(uint8_t *buf, - size_t len); - -// RAND_cleanup frees any resources used by the RNG. This is not safe if other -// threads might still be calling |RAND_bytes|. -OPENSSL_EXPORT void RAND_cleanup(void); - // Obscure functions. @@ -65,6 +51,16 @@ OPENSSL_EXPORT void RAND_enable_fork_unsafe_buffering(int fd); OPENSSL_EXPORT void RAND_reset_for_fuzzing(void); #endif +// RAND_get_system_entropy_for_custom_prng writes |len| bytes of random data +// from a system entropy source to |buf|. The maximum length of entropy which +// may be requested is 256 bytes. If more than 256 bytes of data is requested, +// or if sufficient random data can not be obtained, |abort| is called. +// |RAND_bytes| should normally be used instead of this function. This function +// should only be used for seed values or where |malloc| should not be called +// from BoringSSL. This function is not FIPS compliant. +OPENSSL_EXPORT void RAND_get_system_entropy_for_custom_prng(uint8_t *buf, + size_t len); + // Deprecated functions @@ -93,6 +89,9 @@ OPENSSL_EXPORT int RAND_poll(void); // RAND_status returns one. OPENSSL_EXPORT int RAND_status(void); +// RAND_cleanup does nothing. +OPENSSL_EXPORT void RAND_cleanup(void); + // rand_meth_st is typedefed to |RAND_METHOD| in base.h. It isn't used; it // exists only to be the return type of |RAND_SSLeay|. It's // external so that variables of this type can be initialized. diff --git a/linux-x86/include/openssl/rsa.h b/linux-x86/include/openssl/rsa.h index a1c03cd..fd183f7 100644 --- a/linux-x86/include/openssl/rsa.h +++ b/linux-x86/include/openssl/rsa.h @@ -79,7 +79,22 @@ extern "C" { // documented, functions which take a |const| pointer are non-mutating and // functions which take a non-|const| pointer are mutating. -// RSA_new returns a new, empty |RSA| object or NULL on error. +// RSA_new_public_key returns a new |RSA| object containing a public key with +// the specified parameters, or NULL on error or invalid input. +OPENSSL_EXPORT RSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e); + +// RSA_new_private_key returns a new |RSA| object containing a private key with +// the specified parameters, or NULL on error or invalid input. All parameters +// are mandatory and may not be NULL. +// +// This function creates standard RSA private keys with CRT parameters. +OPENSSL_EXPORT RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e, + const BIGNUM *d, const BIGNUM *p, + const BIGNUM *q, const BIGNUM *dmp1, + const BIGNUM *dmq1, const BIGNUM *iqmp); + +// RSA_new returns a new, empty |RSA| object or NULL on error. Prefer using +// |RSA_new_public_key| or |RSA_new_private_key| to import an RSA key. OPENSSL_EXPORT RSA *RSA_new(void); // RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. @@ -148,6 +163,20 @@ OPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, const BIGNUM **out_dmq1, const BIGNUM **out_iqmp); + +// Setting individual properties. +// +// These functions allow setting individual properties of an |RSA| object. This +// is typically used with |RSA_new| to construct an RSA key field by field. +// Prefer instead to use |RSA_new_public_key| and |RSA_new_private_key|. These +// functions defer some initialization to the first use of an |RSA| object. This +// means invalid inputs may be caught late. +// +// TODO(crbug.com/boringssl/316): This deferred initialization also causes +// performance problems in multi-threaded applications. The preferred APIs +// currently have the same issues, but they will initialize eagerly in the +// future. + // RSA_set0_key sets |rsa|'s modulus, public exponent, and private exponent to // |n|, |e|, and |d| respectively, if non-NULL. On success, it takes ownership // of each argument and returns one. Otherwise, it returns zero. @@ -570,6 +599,48 @@ OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len, const RSA *rsa); +// Obscure RSA variants. +// +// These functions allow creating RSA keys with obscure combinations of +// parameters. + +// RSA_new_private_key_no_crt behaves like |RSA_new_private_key| but constructs +// an RSA key without CRT coefficients. +// +// Keys created by this function will be less performant and cannot be +// serialized. +OPENSSL_EXPORT RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e, + const BIGNUM *d); + +// RSA_new_private_key_no_e behaves like |RSA_new_private_key| but constructs an +// RSA key without CRT parameters or public exponent. +// +// Keys created by this function will be less performant, cannot be serialized, +// and lack hardening measures that protect against side channels and fault +// attacks. +OPENSSL_EXPORT RSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d); + +// RSA_new_public_key_large_e behaves like |RSA_new_public_key| but allows any +// |e| up to |n|. +// +// BoringSSL typically bounds public exponents as a denial-of-service +// mitigation. Keys created by this function may perform worse than those +// created by |RSA_new_public_key|. +OPENSSL_EXPORT RSA *RSA_new_public_key_large_e(const BIGNUM *n, + const BIGNUM *e); + +// RSA_new_private_key_large_e behaves like |RSA_new_private_key| but allows any +// |e| up to |n|. +// +// BoringSSL typically bounds public exponents as a denial-of-service +// mitigation. Keys created by this function may perform worse than those +// created by |RSA_new_private_key|. +OPENSSL_EXPORT RSA *RSA_new_private_key_large_e( + const BIGNUM *n, const BIGNUM *e, const BIGNUM *d, const BIGNUM *p, + const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1, + const BIGNUM *iqmp); + + // ex_data functions. // // See |ex_data.h| for details. @@ -600,6 +671,17 @@ OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx); // RSA_FLAG_EXT_PKEY is deprecated and ignored. #define RSA_FLAG_EXT_PKEY 0x20 +// RSA_FLAG_NO_PUBLIC_EXPONENT indicates that private keys without a public +// exponent are allowed. This is an internal constant. Use +// |RSA_new_private_key_no_e| to construct such keys. +#define RSA_FLAG_NO_PUBLIC_EXPONENT 0x40 + +// RSA_FLAG_LARGE_PUBLIC_EXPONENT indicates that keys with a large public +// exponent are allowed. This is an internal constant. Use +// |RSA_new_public_key_large_e| and |RSA_new_private_key_large_e| to construct +// such keys. +#define RSA_FLAG_LARGE_PUBLIC_EXPONENT 0x80 + // RSA public exponent values. @@ -688,6 +770,14 @@ OPENSSL_EXPORT int RSA_print(BIO *bio, const RSA *rsa, int indent); // the id-RSASSA-PSS key encoding. OPENSSL_EXPORT const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa); +// RSA_new_method_no_e returns a newly-allocated |RSA| object backed by +// |engine|, with a public modulus of |n| and no known public exponent. +// +// Do not use this function. It exists only to support Conscrypt, whose use +// should be replaced with a more sound mechanism. See +// https://crbug.com/boringssl/602. +OPENSSL_EXPORT RSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n); + struct rsa_meth_st { struct openssl_method_common_st common; @@ -728,67 +818,6 @@ struct rsa_meth_st { }; -// Private functions. - -typedef struct bn_blinding_st BN_BLINDING; - -struct rsa_st { - RSA_METHOD *meth; - - // Access to the following fields was historically allowed, but - // deprecated. Use |RSA_get0_*| and |RSA_set0_*| instead. Access to all other - // fields is forbidden and will cause threading errors. - BIGNUM *n; - BIGNUM *e; - BIGNUM *d; - BIGNUM *p; - BIGNUM *q; - BIGNUM *dmp1; - BIGNUM *dmq1; - BIGNUM *iqmp; - - // be careful using this if the RSA structure is shared - CRYPTO_EX_DATA ex_data; - CRYPTO_refcount_t references; - int flags; - - CRYPTO_MUTEX lock; - - // Used to cache montgomery values. The creation of these values is protected - // by |lock|. - BN_MONT_CTX *mont_n; - BN_MONT_CTX *mont_p; - BN_MONT_CTX *mont_q; - - // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively, - // but with the correct widths to prevent side channels. These must use - // separate copies due to threading concerns caused by OpenSSL's API - // mistakes. See https://github.com/openssl/openssl/issues/5158 and - // the |freeze_private_key| implementation. - BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed; - - // inv_small_mod_large_mont is q^-1 mod p in Montgomery form, using |mont_p|, - // if |p| >= |q|. Otherwise, it is p^-1 mod q in Montgomery form, using - // |mont_q|. - BIGNUM *inv_small_mod_large_mont; - - // num_blindings contains the size of the |blindings| and |blindings_inuse| - // arrays. This member and the |blindings_inuse| array are protected by - // |lock|. - size_t num_blindings; - // blindings is an array of BN_BLINDING structures that can be reserved by a - // thread by locking |lock| and changing the corresponding element in - // |blindings_inuse| from 0 to 1. - BN_BLINDING **blindings; - unsigned char *blindings_inuse; - uint64_t blinding_fork_generation; - - // private_key_frozen is one if the key has been used for a private key - // operation and may no longer be mutated. - unsigned private_key_frozen:1; -}; - - #if defined(__cplusplus) } // extern C diff --git a/linux-x86/include/openssl/span.h b/linux-x86/include/openssl/span.h index 67a1a5c..34b39c0 100644 --- a/linux-x86/include/openssl/span.h +++ b/linux-x86/include/openssl/span.h @@ -205,6 +205,11 @@ auto MakeConstSpan(const C &c) -> decltype(MakeConstSpan(c.data(), c.size())) { return MakeConstSpan(c.data(), c.size()); } +template <typename T, size_t size> +Span<const T> MakeConstSpan(T (&array)[size]) { + return array; +} + BSSL_NAMESPACE_END } // extern C++ diff --git a/linux-x86/include/openssl/ssl.h b/linux-x86/include/openssl/ssl.h index 5b5e3fe..6f35e6b 100644 --- a/linux-x86/include/openssl/ssl.h +++ b/linux-x86/include/openssl/ssl.h @@ -1081,6 +1081,21 @@ OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl, OPENSSL_EXPORT const char *SSL_get_signature_algorithm_name(uint16_t sigalg, int include_curve); +// SSL_get_all_signature_algorithm_names outputs a list of possible strings +// |SSL_get_signature_algorithm_name| may return in this version of BoringSSL. +// It writes at most |max_out| entries to |out| and returns the total number it +// would have written, if |max_out| had been large enough. |max_out| may be +// initially set to zero to size the output. +// +// This function is only intended to help initialize tables in callers that want +// possible strings pre-declared. This list would not be suitable to set a list +// of supported features. It is in no particular order, and may contain +// placeholder, experimental, or deprecated values that do not apply to every +// caller. Future versions of BoringSSL may also return strings not in this +// list, so this does not apply if, say, sending strings across services. +OPENSSL_EXPORT size_t SSL_get_all_signature_algorithm_names(const char **out, + size_t max_out); + // SSL_get_signature_algorithm_key_type returns the key type associated with // |sigalg| as an |EVP_PKEY_*| constant or |EVP_PKEY_NONE| if unknown. OPENSSL_EXPORT int SSL_get_signature_algorithm_key_type(uint16_t sigalg); @@ -1360,10 +1375,15 @@ OPENSSL_EXPORT int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher); // function returns |NID_auth_any|. OPENSSL_EXPORT int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher); -// SSL_CIPHER_get_prf_nid retuns the NID for |cipher|'s PRF hash. If |cipher| is -// a pre-TLS-1.2 cipher, it returns |NID_md5_sha1| but note these ciphers use +// SSL_CIPHER_get_handshake_digest returns |cipher|'s PRF hash. If |cipher| +// is a pre-TLS-1.2 cipher, it returns |EVP_md5_sha1| but note these ciphers use // SHA-256 in TLS 1.2. Other return values may be treated uniformly in all // applicable versions. +OPENSSL_EXPORT const EVP_MD *SSL_CIPHER_get_handshake_digest( + const SSL_CIPHER *cipher); + +// SSL_CIPHER_get_prf_nid behaves like |SSL_CIPHER_get_handshake_digest| but +// returns the NID constant. Use |SSL_CIPHER_get_handshake_digest| instead. OPENSSL_EXPORT int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher); // SSL_CIPHER_get_min_version returns the minimum protocol version required @@ -1394,6 +1414,37 @@ OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher); OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits); +// SSL_get_all_cipher_names outputs a list of possible strings +// |SSL_CIPHER_get_name| may return in this version of BoringSSL. It writes at +// most |max_out| entries to |out| and returns the total number it would have +// written, if |max_out| had been large enough. |max_out| may be initially set +// to zero to size the output. +// +// This function is only intended to help initialize tables in callers that want +// possible strings pre-declared. This list would not be suitable to set a list +// of supported features. It is in no particular order, and may contain +// placeholder, experimental, or deprecated values that do not apply to every +// caller. Future versions of BoringSSL may also return strings not in this +// list, so this does not apply if, say, sending strings across services. +OPENSSL_EXPORT size_t SSL_get_all_cipher_names(const char **out, + size_t max_out); + + +// SSL_get_all_standard_cipher_names outputs a list of possible strings +// |SSL_CIPHER_standard_name| may return in this version of BoringSSL. It writes +// at most |max_out| entries to |out| and returns the total number it would have +// written, if |max_out| had been large enough. |max_out| may be initially set +// to zero to size the output. +// +// This function is only intended to help initialize tables in callers that want +// possible strings pre-declared. This list would not be suitable to set a list +// of supported features. It is in no particular order, and may contain +// placeholder, experimental, or deprecated values that do not apply to every +// caller. Future versions of BoringSSL may also return strings not in this +// list, so this does not apply if, say, sending strings across services. +OPENSSL_EXPORT size_t SSL_get_all_standard_cipher_names(const char **out, + size_t max_out); + // Cipher suite configuration. // @@ -1430,7 +1481,8 @@ OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, // // Available cipher rules are: // -// |ALL| matches all ciphers. +// |ALL| matches all ciphers, except for deprecated ciphers which must be +// named explicitly. // // |kRSA|, |kDHE|, |kECDHE|, and |kPSK| match ciphers using plain RSA, DHE, // ECDHE, and plain PSK key exchanges, respectively. Note that ECDHE_PSK is @@ -1487,8 +1539,7 @@ OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, // // TLS 1.3 ciphers do not participate in this mechanism and instead have a // built-in preference order. Functions to set cipher lists do not affect TLS -// 1.3, and functions to query the cipher list do not include TLS 1.3 -// ciphers. +// 1.3, and functions to query the cipher list do not include TLS 1.3 ciphers. // SSL_DEFAULT_CIPHER_LIST is the default cipher suite configuration. It is // substituted when a cipher string starts with 'DEFAULT'. @@ -2285,80 +2336,100 @@ OPENSSL_EXPORT int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets); OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx); -// Elliptic curve Diffie-Hellman. -// -// Cipher suites using an ECDHE key exchange perform Diffie-Hellman over an -// elliptic curve negotiated by both endpoints. See RFC 4492. Only named curves -// are supported. ECDHE is always enabled, but the curve preferences may be -// configured with these functions. -// -// Note that TLS 1.3 renames these from curves to groups. For consistency, we -// currently use the TLS 1.2 name in the API. - -// SSL_CTX_set1_curves sets the preferred curves for |ctx| to be |curves|. Each -// element of |curves| should be a curve nid. It returns one on success and -// zero on failure. -// -// Note that this API uses nid values from nid.h and not the |SSL_CURVE_*| -// values defined below. -OPENSSL_EXPORT int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, - size_t curves_len); - -// SSL_set1_curves sets the preferred curves for |ssl| to be |curves|. Each -// element of |curves| should be a curve nid. It returns one on success and -// zero on failure. -// -// Note that this API uses nid values from nid.h and not the |SSL_CURVE_*| -// values defined below. -OPENSSL_EXPORT int SSL_set1_curves(SSL *ssl, const int *curves, - size_t curves_len); - -// SSL_CTX_set1_curves_list sets the preferred curves for |ctx| to be the -// colon-separated list |curves|. Each element of |curves| should be a curve -// name (e.g. P-256, X25519, ...). It returns one on success and zero on -// failure. -OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves); - -// SSL_set1_curves_list sets the preferred curves for |ssl| to be the -// colon-separated list |curves|. Each element of |curves| should be a curve -// name (e.g. P-256, X25519, ...). It returns one on success and zero on -// failure. -OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); - -// SSL_CURVE_* define TLS curve IDs. -#define SSL_CURVE_SECP224R1 21 -#define SSL_CURVE_SECP256R1 23 -#define SSL_CURVE_SECP384R1 24 -#define SSL_CURVE_SECP521R1 25 -#define SSL_CURVE_X25519 29 -#define SSL_CURVE_X25519KYBER768 0x6399 -#define SSL_CURVE_P256KYBER768 0xfe32 - -// SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently -// completed handshake or 0 if not applicable. -// -// TODO(davidben): This API currently does not work correctly if there is a -// renegotiation in progress. Fix this. -OPENSSL_EXPORT uint16_t SSL_get_curve_id(const SSL *ssl); - -// SSL_get_curve_name returns a human-readable name for the curve specified by -// the given TLS curve id, or NULL if the curve is unknown. -OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id); +// Diffie-Hellman groups and ephemeral key exchanges. +// +// Most TLS handshakes (ECDHE cipher suites in TLS 1.2, and all supported TLS +// 1.3 modes) incorporate an ephemeral key exchange, most commonly using +// Elliptic Curve Diffie-Hellman (ECDH), as described in RFC 8422. The key +// exchange algorithm is negotiated separately from the cipher suite, using +// NamedGroup values, which define Diffie-Hellman groups. +// +// Historically, these values were known as "curves", in reference to ECDH, and +// some APIs refer to the original name. RFC 7919 renamed them to "groups" in +// reference to Diffie-Hellman in general. These values are also used to select +// experimental post-quantum KEMs. Though not Diffie-Hellman groups, KEMs can +// fill a similar role in TLS, so they use the same codepoints. +// +// In TLS 1.2, the ECDH values also negotiate elliptic curves used in ECDSA. In +// TLS 1.3 and later, ECDSA curves are part of the signature algorithm. See +// |SSL_SIGN_*|. + +// SSL_GROUP_* define TLS group IDs. +#define SSL_GROUP_SECP224R1 21 +#define SSL_GROUP_SECP256R1 23 +#define SSL_GROUP_SECP384R1 24 +#define SSL_GROUP_SECP521R1 25 +#define SSL_GROUP_X25519 29 +#define SSL_GROUP_X25519_KYBER768_DRAFT00 0x6399 + +// SSL_CTX_set1_group_ids sets the preferred groups for |ctx| to |group_ids|. +// Each element of |group_ids| should be one of the |SSL_GROUP_*| constants. It +// returns one on success and zero on failure. +OPENSSL_EXPORT int SSL_CTX_set1_group_ids(SSL_CTX *ctx, + const uint16_t *group_ids, + size_t num_group_ids); + +// SSL_set1_group_ids sets the preferred groups for |ssl| to |group_ids|. Each +// element of |group_ids| should be one of the |SSL_GROUP_*| constants. It +// returns one on success and zero on failure. +OPENSSL_EXPORT int SSL_set1_group_ids(SSL *ssl, const uint16_t *group_ids, + size_t num_group_ids); + +// SSL_get_group_id returns the ID of the group used by |ssl|'s most recently +// completed handshake, or 0 if not applicable. +OPENSSL_EXPORT uint16_t SSL_get_group_id(const SSL *ssl); + +// SSL_get_group_name returns a human-readable name for the group specified by +// the given TLS group ID, or NULL if the group is unknown. +OPENSSL_EXPORT const char *SSL_get_group_name(uint16_t group_id); + +// SSL_get_all_group_names outputs a list of possible strings +// |SSL_get_group_name| may return in this version of BoringSSL. It writes at +// most |max_out| entries to |out| and returns the total number it would have +// written, if |max_out| had been large enough. |max_out| may be initially set +// to zero to size the output. +// +// This function is only intended to help initialize tables in callers that want +// possible strings pre-declared. This list would not be suitable to set a list +// of supported features. It is in no particular order, and may contain +// placeholder, experimental, or deprecated values that do not apply to every +// caller. Future versions of BoringSSL may also return strings not in this +// list, so this does not apply if, say, sending strings across services. +OPENSSL_EXPORT size_t SSL_get_all_group_names(const char **out, size_t max_out); + +// The following APIs also configure Diffie-Hellman groups, but use |NID_*| +// constants instead of |SSL_GROUP_*| constants. These are provided for OpenSSL +// compatibility. Where NIDs are unstable constants specific to OpenSSL and +// BoringSSL, group IDs are defined by the TLS protocol. Prefer the group ID +// representation if storing persistently, or exporting to another process or +// library. -// SSL_CTX_set1_groups calls |SSL_CTX_set1_curves|. +// SSL_CTX_set1_groups sets the preferred groups for |ctx| to be |groups|. Each +// element of |groups| should be a |NID_*| constant from nid.h. It returns one +// on success and zero on failure. OPENSSL_EXPORT int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, - size_t groups_len); + size_t num_groups); -// SSL_set1_groups calls |SSL_set1_curves|. +// SSL_set1_groups sets the preferred groups for |ssl| to be |groups|. Each +// element of |groups| should be a |NID_*| constant from nid.h. It returns one +// on success and zero on failure. OPENSSL_EXPORT int SSL_set1_groups(SSL *ssl, const int *groups, - size_t groups_len); + size_t num_groups); -// SSL_CTX_set1_groups_list calls |SSL_CTX_set1_curves_list|. +// SSL_CTX_set1_groups_list decodes |groups| as a colon-separated list of group +// names (e.g. "X25519" or "P-256") and sets |ctx|'s preferred groups to the +// result. It returns one on success and zero on failure. OPENSSL_EXPORT int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups); -// SSL_set1_groups_list calls |SSL_set1_curves_list|. +// SSL_set1_groups_list decodes |groups| as a colon-separated list of group +// names (e.g. "X25519" or "P-256") and sets |ssl|'s preferred groups to the +// result. It returns one on success and zero on failure. OPENSSL_EXPORT int SSL_set1_groups_list(SSL *ssl, const char *groups); +// SSL_get_negotiated_group returns the NID of the group used by |ssl|'s most +// recently completed handshake, or |NID_undef| if not applicable. +OPENSSL_EXPORT int SSL_get_negotiated_group(const SSL *ssl); + // Certificate verification. // @@ -4892,6 +4963,21 @@ OPENSSL_EXPORT long SSL_get_default_timeout(const SSL *ssl); // For example, "TLSv1.2" or "DTLSv1". OPENSSL_EXPORT const char *SSL_get_version(const SSL *ssl); +// SSL_get_all_version_names outputs a list of possible strings +// |SSL_get_version| may return in this version of BoringSSL. It writes at most +// |max_out| entries to |out| and returns the total number it would have +// written, if |max_out| had been large enough. |max_out| may be initially set +// to zero to size the output. +// +// This function is only intended to help initialize tables in callers that want +// possible strings pre-declared. This list would not be suitable to set a list +// of supported features. It is in no particular order, and may contain +// placeholder, experimental, or deprecated values that do not apply to every +// caller. Future versions of BoringSSL may also return strings not in this +// list, so this does not apply if, say, sending strings across services. +OPENSSL_EXPORT size_t SSL_get_all_version_names(const char **out, + size_t max_out); + // SSL_get_cipher_list returns the name of the |n|th cipher in the output of // |SSL_get_ciphers| or NULL if out of range. Use |SSL_get_ciphers| instead. OPENSSL_EXPORT const char *SSL_get_cipher_list(const SSL *ssl, int n); @@ -5016,20 +5102,22 @@ OPENSSL_EXPORT int SSL_state(const SSL *ssl); // Use |SSL_CTX_set_quiet_shutdown| instead. OPENSSL_EXPORT void SSL_set_shutdown(SSL *ssl, int mode); -// SSL_CTX_set_tmp_ecdh calls |SSL_CTX_set1_curves| with a one-element list -// containing |ec_key|'s curve. +// SSL_CTX_set_tmp_ecdh calls |SSL_CTX_set1_groups| with a one-element list +// containing |ec_key|'s curve. The remainder of |ec_key| is ignored. OPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key); -// SSL_set_tmp_ecdh calls |SSL_set1_curves| with a one-element list containing -// |ec_key|'s curve. +// SSL_set_tmp_ecdh calls |SSL_set1_groups| with a one-element list containing +// |ec_key|'s curve. The remainder of |ec_key| is ignored. OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key); +#if !defined(OPENSSL_NO_FILESYSTEM) // SSL_add_dir_cert_subjects_to_stack lists files in directory |dir|. It calls // |SSL_add_file_cert_subjects_to_stack| on each file and returns one on success // or zero on error. This function is only available from the libdecrepit // library. OPENSSL_EXPORT int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, const char *dir); +#endif // SSL_CTX_enable_tls_channel_id calls |SSL_CTX_set_tls_channel_id_enabled|. OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx); @@ -5170,12 +5258,41 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg); SSL_R_TLSV1_ALERT_BAD_CERTIFICATE_HASH_VALUE #define SSL_R_TLSV1_CERTIFICATE_REQUIRED SSL_R_TLSV1_ALERT_CERTIFICATE_REQUIRED -// SSL_CIPHER_get_value calls |SSL_CIPHER_get_protocol_id|. -// -// TODO(davidben): |SSL_CIPHER_get_value| was our name for this function, but -// upstream added it as |SSL_CIPHER_get_protocol_id|. Switch callers to the new -// name and remove this one. -OPENSSL_EXPORT uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher); +// The following symbols are compatibility aliases for |SSL_GROUP_*|. +#define SSL_CURVE_SECP224R1 SSL_GROUP_SECP224R1 +#define SSL_CURVE_SECP256R1 SSL_GROUP_SECP256R1 +#define SSL_CURVE_SECP384R1 SSL_GROUP_SECP384R1 +#define SSL_CURVE_SECP521R1 SSL_GROUP_SECP521R1 +#define SSL_CURVE_X25519 SSL_GROUP_X25519 +#define SSL_CURVE_X25519_KYBER768_DRAFT00 SSL_GROUP_X25519_KYBER768_DRAFT00 + +// SSL_get_curve_id calls |SSL_get_group_id|. +OPENSSL_EXPORT uint16_t SSL_get_curve_id(const SSL *ssl); + +// SSL_get_curve_name calls |SSL_get_group_name|. +OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id); + +// SSL_get_all_curve_names calls |SSL_get_all_group_names|. +OPENSSL_EXPORT size_t SSL_get_all_curve_names(const char **out, size_t max_out); + +// SSL_CTX_set1_curves calls |SSL_CTX_set1_groups|. +OPENSSL_EXPORT int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, + size_t num_curves); + +// SSL_set1_curves calls |SSL_set1_groups|. +OPENSSL_EXPORT int SSL_set1_curves(SSL *ssl, const int *curves, + size_t num_curves); + +// SSL_CTX_set1_curves_list calls |SSL_CTX_set1_groups_list|. +OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves); + +// SSL_set1_curves_list calls |SSL_set1_groups_list|. +OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); + +// TLSEXT_nid_unknown is a constant used in OpenSSL for +// |SSL_get_negotiated_group| to return an unrecognized group. BoringSSL never +// returns this value, but we define this constant for compatibility. +#define TLSEXT_nid_unknown 0x1000000 // Compliance policy configurations @@ -5277,6 +5394,7 @@ OPENSSL_EXPORT int SSL_set_compliance_policy( #define SSL_CTRL_GET_CLIENT_CERT_TYPES doesnt_exist #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS doesnt_exist #define SSL_CTRL_GET_MAX_CERT_LIST doesnt_exist +#define SSL_CTRL_GET_NEGOTIATED_GROUP doesnt_exist #define SSL_CTRL_GET_NUM_RENEGOTIATIONS doesnt_exist #define SSL_CTRL_GET_READ_AHEAD doesnt_exist #define SSL_CTRL_GET_RI_SUPPORT doesnt_exist @@ -5292,6 +5410,8 @@ OPENSSL_EXPORT int SSL_set_compliance_policy( #define SSL_CTRL_SESS_NUMBER doesnt_exist #define SSL_CTRL_SET_CURVES doesnt_exist #define SSL_CTRL_SET_CURVES_LIST doesnt_exist +#define SSL_CTRL_SET_GROUPS doesnt_exist +#define SSL_CTRL_SET_GROUPS_LIST doesnt_exist #define SSL_CTRL_SET_ECDH_AUTO doesnt_exist #define SSL_CTRL_SET_MAX_CERT_LIST doesnt_exist #define SSL_CTRL_SET_MAX_SEND_FRAGMENT doesnt_exist @@ -5341,6 +5461,7 @@ OPENSSL_EXPORT int SSL_set_compliance_policy( #define SSL_CTX_set0_chain SSL_CTX_set0_chain #define SSL_CTX_set1_chain SSL_CTX_set1_chain #define SSL_CTX_set1_curves SSL_CTX_set1_curves +#define SSL_CTX_set1_groups SSL_CTX_set1_groups #define SSL_CTX_set_max_cert_list SSL_CTX_set_max_cert_list #define SSL_CTX_set_max_send_fragment SSL_CTX_set_max_send_fragment #define SSL_CTX_set_mode SSL_CTX_set_mode @@ -5365,6 +5486,7 @@ OPENSSL_EXPORT int SSL_set_compliance_policy( #define SSL_get0_chain_certs SSL_get0_chain_certs #define SSL_get_max_cert_list SSL_get_max_cert_list #define SSL_get_mode SSL_get_mode +#define SSL_get_negotiated_group SSL_get_negotiated_group #define SSL_get_options SSL_get_options #define SSL_get_secure_renegotiation_support \ SSL_get_secure_renegotiation_support @@ -5374,6 +5496,7 @@ OPENSSL_EXPORT int SSL_set_compliance_policy( #define SSL_set0_chain SSL_set0_chain #define SSL_set1_chain SSL_set1_chain #define SSL_set1_curves SSL_set1_curves +#define SSL_set1_groups SSL_set1_groups #define SSL_set_max_cert_list SSL_set_max_cert_list #define SSL_set_max_send_fragment SSL_set_max_send_fragment #define SSL_set_mode SSL_set_mode @@ -5563,7 +5686,6 @@ BSSL_NAMESPACE_END #define SSL_R_NO_CIPHER_MATCH 177 #define SSL_R_NO_COMPRESSION_SPECIFIED 178 #define SSL_R_NO_METHOD_SPECIFIED 179 -#define SSL_R_NO_P256_SUPPORT 180 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 181 #define SSL_R_NO_RENEGOTIATION 182 #define SSL_R_NO_REQUIRED_DIGEST 183 diff --git a/linux-x86/include/openssl/stack.h b/linux-x86/include/openssl/stack.h index 59b1c5e..23b9d89 100644 --- a/linux-x86/include/openssl/stack.h +++ b/linux-x86/include/openssl/stack.h @@ -138,7 +138,8 @@ STACK_OF(SAMPLE) *sk_SAMPLE_new(sk_SAMPLE_cmp_func comp); // NULL on allocation failure. STACK_OF(SAMPLE) *sk_SAMPLE_new_null(void); -// sk_SAMPLE_num returns the number of elements in |sk|. +// sk_SAMPLE_num returns the number of elements in |sk|. It is safe to cast this +// value to |int|. |sk| is guaranteed to have at most |INT_MAX| elements. size_t sk_SAMPLE_num(const STACK_OF(SAMPLE) *sk); // sk_SAMPLE_zero resets |sk| to the empty state but does nothing to free the @@ -244,8 +245,11 @@ STACK_OF(SAMPLE) *sk_SAMPLE_deep_copy(const STACK_OF(SAMPLE) *sk, // Private functions. // -// TODO(https://crbug.com/boringssl/499): Rename to |OPENSSL_sk_foo|, after -// external code that calls them is fixed. +// The |sk_*| functions generated above are implemented internally using the +// type-erased functions below. Callers should use the typed wrappers instead. +// When using the type-erased functions, callers are responsible for ensuring +// the underlying types are correct. Casting pointers to the wrong types will +// result in memory errors. // OPENSSL_sk_free_func is a function that frees an element in a stack. Note its // actual type is void (*)(T *) for some T. Low-level |sk_*| functions will be @@ -275,69 +279,87 @@ typedef int (*OPENSSL_sk_delete_if_func)(void *obj, void *data); // true types. typedef void (*OPENSSL_sk_call_free_func)(OPENSSL_sk_free_func, void *); typedef void *(*OPENSSL_sk_call_copy_func)(OPENSSL_sk_copy_func, const void *); -typedef int (*OPENSSL_sk_call_cmp_func)(OPENSSL_sk_cmp_func, - const void *const *, - const void *const *); +typedef int (*OPENSSL_sk_call_cmp_func)(OPENSSL_sk_cmp_func, const void *, + const void *); typedef int (*OPENSSL_sk_call_delete_if_func)(OPENSSL_sk_delete_if_func, void *, void *); -// stack_st contains an array of pointers. It is not designed to be used +// An OPENSSL_STACK contains an array of pointers. It is not designed to be used // directly, rather the wrapper macros should be used. -typedef struct stack_st { - // num contains the number of valid pointers in |data|. - size_t num; - void **data; - // sorted is non-zero if the values pointed to by |data| are in ascending - // order, based on |comp|. - int sorted; - // num_alloc contains the number of pointers allocated in the buffer pointed - // to by |data|, which may be larger than |num|. - size_t num_alloc; - // comp is an optional comparison function. - OPENSSL_sk_cmp_func comp; -} _STACK; +typedef struct stack_st OPENSSL_STACK; // The following are raw stack functions. They implement the corresponding typed // |sk_SAMPLE_*| functions generated by |DEFINE_STACK_OF|. Callers shouldn't be // using them. Rather, callers should use the typed functions. -OPENSSL_EXPORT _STACK *sk_new(OPENSSL_sk_cmp_func comp); -OPENSSL_EXPORT _STACK *sk_new_null(void); -OPENSSL_EXPORT size_t sk_num(const _STACK *sk); -OPENSSL_EXPORT void sk_zero(_STACK *sk); -OPENSSL_EXPORT void *sk_value(const _STACK *sk, size_t i); -OPENSSL_EXPORT void *sk_set(_STACK *sk, size_t i, void *p); -OPENSSL_EXPORT void sk_free(_STACK *sk); -OPENSSL_EXPORT void sk_pop_free_ex(_STACK *sk, - OPENSSL_sk_call_free_func call_free_func, - OPENSSL_sk_free_func free_func); -OPENSSL_EXPORT size_t sk_insert(_STACK *sk, void *p, size_t where); -OPENSSL_EXPORT void *sk_delete(_STACK *sk, size_t where); -OPENSSL_EXPORT void *sk_delete_ptr(_STACK *sk, const void *p); -OPENSSL_EXPORT void sk_delete_if(_STACK *sk, - OPENSSL_sk_call_delete_if_func call_func, - OPENSSL_sk_delete_if_func func, void *data); -OPENSSL_EXPORT int sk_find(const _STACK *sk, size_t *out_index, const void *p, - OPENSSL_sk_call_cmp_func call_cmp_func); -OPENSSL_EXPORT void *sk_shift(_STACK *sk); -OPENSSL_EXPORT size_t sk_push(_STACK *sk, void *p); -OPENSSL_EXPORT void *sk_pop(_STACK *sk); -OPENSSL_EXPORT _STACK *sk_dup(const _STACK *sk); -OPENSSL_EXPORT void sk_sort(_STACK *sk, OPENSSL_sk_call_cmp_func call_cmp_func); -OPENSSL_EXPORT int sk_is_sorted(const _STACK *sk); -OPENSSL_EXPORT OPENSSL_sk_cmp_func sk_set_cmp_func(_STACK *sk, - OPENSSL_sk_cmp_func comp); -OPENSSL_EXPORT _STACK *sk_deep_copy(const _STACK *sk, - OPENSSL_sk_call_copy_func call_copy_func, - OPENSSL_sk_copy_func copy_func, - OPENSSL_sk_call_free_func call_free_func, - OPENSSL_sk_free_func free_func); - -// sk_pop_free behaves like |sk_pop_free_ex| but performs an invalid function -// pointer cast. It exists because some existing callers called |sk_pop_free| -// directly. +OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_cmp_func comp); +OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_new_null(void); +OPENSSL_EXPORT size_t OPENSSL_sk_num(const OPENSSL_STACK *sk); +OPENSSL_EXPORT void OPENSSL_sk_zero(OPENSSL_STACK *sk); +OPENSSL_EXPORT void *OPENSSL_sk_value(const OPENSSL_STACK *sk, size_t i); +OPENSSL_EXPORT void *OPENSSL_sk_set(OPENSSL_STACK *sk, size_t i, void *p); +OPENSSL_EXPORT void OPENSSL_sk_free(OPENSSL_STACK *sk); +OPENSSL_EXPORT void OPENSSL_sk_pop_free_ex( + OPENSSL_STACK *sk, OPENSSL_sk_call_free_func call_free_func, + OPENSSL_sk_free_func free_func); +OPENSSL_EXPORT size_t OPENSSL_sk_insert(OPENSSL_STACK *sk, void *p, + size_t where); +OPENSSL_EXPORT void *OPENSSL_sk_delete(OPENSSL_STACK *sk, size_t where); +OPENSSL_EXPORT void *OPENSSL_sk_delete_ptr(OPENSSL_STACK *sk, const void *p); +OPENSSL_EXPORT void OPENSSL_sk_delete_if( + OPENSSL_STACK *sk, OPENSSL_sk_call_delete_if_func call_func, + OPENSSL_sk_delete_if_func func, void *data); +OPENSSL_EXPORT int OPENSSL_sk_find(const OPENSSL_STACK *sk, size_t *out_index, + const void *p, + OPENSSL_sk_call_cmp_func call_cmp_func); +OPENSSL_EXPORT void *OPENSSL_sk_shift(OPENSSL_STACK *sk); +OPENSSL_EXPORT size_t OPENSSL_sk_push(OPENSSL_STACK *sk, void *p); +OPENSSL_EXPORT void *OPENSSL_sk_pop(OPENSSL_STACK *sk); +OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk); +OPENSSL_EXPORT void OPENSSL_sk_sort(OPENSSL_STACK *sk, + OPENSSL_sk_call_cmp_func call_cmp_func); +OPENSSL_EXPORT int OPENSSL_sk_is_sorted(const OPENSSL_STACK *sk); +OPENSSL_EXPORT OPENSSL_sk_cmp_func +OPENSSL_sk_set_cmp_func(OPENSSL_STACK *sk, OPENSSL_sk_cmp_func comp); +OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_deep_copy( + const OPENSSL_STACK *sk, OPENSSL_sk_call_copy_func call_copy_func, + OPENSSL_sk_copy_func copy_func, OPENSSL_sk_call_free_func call_free_func, + OPENSSL_sk_free_func free_func); + + +// Deprecated private functions (hidden). +// +// TODO(crbug.com/boringssl/499): Migrate callers to the typed wrappers, or at +// least the new names and remove the old ones. +// +// TODO(b/290792019, b/290785937): Ideally these would at least be inline +// functions, so we do not squat the symbols. + +typedef OPENSSL_STACK _STACK; + +// The following functions call the corresponding |OPENSSL_sk_*| function. +OPENSSL_EXPORT OPENSSL_DEPRECATED OPENSSL_STACK *sk_new_null(void); +OPENSSL_EXPORT OPENSSL_DEPRECATED size_t sk_num(const OPENSSL_STACK *sk); +OPENSSL_EXPORT OPENSSL_DEPRECATED void *sk_value(const OPENSSL_STACK *sk, + size_t i); +OPENSSL_EXPORT OPENSSL_DEPRECATED void sk_free(OPENSSL_STACK *sk); +OPENSSL_EXPORT OPENSSL_DEPRECATED size_t sk_push(OPENSSL_STACK *sk, void *p); +OPENSSL_EXPORT OPENSSL_DEPRECATED void *sk_pop(OPENSSL_STACK *sk); + +// sk_pop_free_ex calls |OPENSSL_sk_pop_free_ex|. +// +// TODO(b/291994116): Remove this. +OPENSSL_EXPORT OPENSSL_DEPRECATED void sk_pop_free_ex( + OPENSSL_STACK *sk, OPENSSL_sk_call_free_func call_free_func, + OPENSSL_sk_free_func free_func); + +// sk_pop_free behaves like |OPENSSL_sk_pop_free_ex| but performs an invalid +// function pointer cast. It exists because some existing callers called +// |sk_pop_free| directly. // // TODO(davidben): Migrate callers to bssl::UniquePtr and remove this. -OPENSSL_EXPORT void sk_pop_free(_STACK *sk, OPENSSL_sk_free_func free_func); +OPENSSL_EXPORT OPENSSL_DEPRECATED void sk_pop_free( + OPENSSL_STACK *sk, OPENSSL_sk_free_func free_func); + #if !defined(BORINGSSL_NO_CXX) extern "C++" { @@ -367,153 +389,151 @@ BSSL_NAMESPACE_END #define BORINGSSL_DEFINE_STACK_TRAITS(name, type, is_const) #endif -#define BORINGSSL_DEFINE_STACK_OF_IMPL(name, ptrtype, constptrtype) \ - /* We disable MSVC C4191 in this macro, which warns when pointers are cast \ - * to the wrong type. While the cast itself is valid, it is often a bug \ - * because calling it through the cast is UB. However, we never actually \ - * call functions as |OPENSSL_sk_cmp_func|. The type is just a type-erased \ - * function pointer. (C does not guarantee function pointers fit in \ - * |void*|, and GCC will warn on this.) Thus we just disable the false \ - * positive warning. */ \ - OPENSSL_MSVC_PRAGMA(warning(push)) \ - OPENSSL_MSVC_PRAGMA(warning(disable : 4191)) \ - \ - DECLARE_STACK_OF(name) \ - \ - typedef void (*sk_##name##_free_func)(ptrtype); \ - typedef ptrtype (*sk_##name##_copy_func)(constptrtype); \ - typedef int (*sk_##name##_cmp_func)(constptrtype const *, \ - constptrtype const *); \ - typedef int (*sk_##name##_delete_if_func)(ptrtype, void *); \ - \ - OPENSSL_INLINE void sk_##name##_call_free_func( \ - OPENSSL_sk_free_func free_func, void *ptr) { \ - ((sk_##name##_free_func)free_func)((ptrtype)ptr); \ - } \ - \ - OPENSSL_INLINE void *sk_##name##_call_copy_func( \ - OPENSSL_sk_copy_func copy_func, const void *ptr) { \ - return (void *)((sk_##name##_copy_func)copy_func)((constptrtype)ptr); \ - } \ - \ - OPENSSL_INLINE int sk_##name##_call_cmp_func(OPENSSL_sk_cmp_func cmp_func, \ - const void *const *a, \ - const void *const *b) { \ - /* The data is actually stored as |void*| pointers, so read the pointer \ - * as |void*| and then pass the corrected type into the caller-supplied \ - * function, which expects |constptrtype*|. */ \ - constptrtype a_ptr = (constptrtype)*a; \ - constptrtype b_ptr = (constptrtype)*b; \ - return ((sk_##name##_cmp_func)cmp_func)(&a_ptr, &b_ptr); \ - } \ - \ - OPENSSL_INLINE int sk_##name##_call_delete_if_func( \ - OPENSSL_sk_delete_if_func func, void *obj, void *data) { \ - return ((sk_##name##_delete_if_func)func)((ptrtype)obj, data); \ - } \ - \ - OPENSSL_INLINE STACK_OF(name) *sk_##name##_new(sk_##name##_cmp_func comp) { \ - return (STACK_OF(name) *)sk_new((OPENSSL_sk_cmp_func)comp); \ - } \ - \ - OPENSSL_INLINE STACK_OF(name) *sk_##name##_new_null(void) { \ - return (STACK_OF(name) *)sk_new_null(); \ - } \ - \ - OPENSSL_INLINE size_t sk_##name##_num(const STACK_OF(name) *sk) { \ - return sk_num((const _STACK *)sk); \ - } \ - \ - OPENSSL_INLINE void sk_##name##_zero(STACK_OF(name) *sk) { \ - sk_zero((_STACK *)sk); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_value(const STACK_OF(name) *sk, \ - size_t i) { \ - return (ptrtype)sk_value((const _STACK *)sk, i); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_set(STACK_OF(name) *sk, size_t i, \ - ptrtype p) { \ - return (ptrtype)sk_set((_STACK *)sk, i, (void *)p); \ - } \ - \ - OPENSSL_INLINE void sk_##name##_free(STACK_OF(name) *sk) { \ - sk_free((_STACK *)sk); \ - } \ - \ - OPENSSL_INLINE void sk_##name##_pop_free(STACK_OF(name) *sk, \ - sk_##name##_free_func free_func) { \ - sk_pop_free_ex((_STACK *)sk, sk_##name##_call_free_func, \ - (OPENSSL_sk_free_func)free_func); \ - } \ - \ - OPENSSL_INLINE size_t sk_##name##_insert(STACK_OF(name) *sk, ptrtype p, \ - size_t where) { \ - return sk_insert((_STACK *)sk, (void *)p, where); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_delete(STACK_OF(name) *sk, \ - size_t where) { \ - return (ptrtype)sk_delete((_STACK *)sk, where); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_delete_ptr(STACK_OF(name) *sk, \ - constptrtype p) { \ - return (ptrtype)sk_delete_ptr((_STACK *)sk, (const void *)p); \ - } \ - \ - OPENSSL_INLINE void sk_##name##_delete_if( \ - STACK_OF(name) *sk, sk_##name##_delete_if_func func, void *data) { \ - sk_delete_if((_STACK *)sk, sk_##name##_call_delete_if_func, \ - (OPENSSL_sk_delete_if_func)func, data); \ - } \ - \ - OPENSSL_INLINE int sk_##name##_find(const STACK_OF(name) *sk, \ - size_t *out_index, constptrtype p) { \ - return sk_find((const _STACK *)sk, out_index, (const void *)p, \ - sk_##name##_call_cmp_func); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_shift(STACK_OF(name) *sk) { \ - return (ptrtype)sk_shift((_STACK *)sk); \ - } \ - \ - OPENSSL_INLINE size_t sk_##name##_push(STACK_OF(name) *sk, ptrtype p) { \ - return sk_push((_STACK *)sk, (void *)p); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_pop(STACK_OF(name) *sk) { \ - return (ptrtype)sk_pop((_STACK *)sk); \ - } \ - \ - OPENSSL_INLINE STACK_OF(name) *sk_##name##_dup(const STACK_OF(name) *sk) { \ - return (STACK_OF(name) *)sk_dup((const _STACK *)sk); \ - } \ - \ - OPENSSL_INLINE void sk_##name##_sort(STACK_OF(name) *sk) { \ - sk_sort((_STACK *)sk, sk_##name##_call_cmp_func); \ - } \ - \ - OPENSSL_INLINE int sk_##name##_is_sorted(const STACK_OF(name) *sk) { \ - return sk_is_sorted((const _STACK *)sk); \ - } \ - \ - OPENSSL_INLINE sk_##name##_cmp_func sk_##name##_set_cmp_func( \ - STACK_OF(name) *sk, sk_##name##_cmp_func comp) { \ - return (sk_##name##_cmp_func)sk_set_cmp_func((_STACK *)sk, \ - (OPENSSL_sk_cmp_func)comp); \ - } \ - \ - OPENSSL_INLINE STACK_OF(name) *sk_##name##_deep_copy( \ - const STACK_OF(name) *sk, sk_##name##_copy_func copy_func, \ - sk_##name##_free_func free_func) { \ - return (STACK_OF(name) *)sk_deep_copy( \ - (const _STACK *)sk, sk_##name##_call_copy_func, \ - (OPENSSL_sk_copy_func)copy_func, sk_##name##_call_free_func, \ - (OPENSSL_sk_free_func)free_func); \ - } \ - \ +#define BORINGSSL_DEFINE_STACK_OF_IMPL(name, ptrtype, constptrtype) \ + /* We disable MSVC C4191 in this macro, which warns when pointers are cast \ + * to the wrong type. While the cast itself is valid, it is often a bug \ + * because calling it through the cast is UB. However, we never actually \ + * call functions as |OPENSSL_sk_cmp_func|. The type is just a type-erased \ + * function pointer. (C does not guarantee function pointers fit in \ + * |void*|, and GCC will warn on this.) Thus we just disable the false \ + * positive warning. */ \ + OPENSSL_MSVC_PRAGMA(warning(push)) \ + OPENSSL_MSVC_PRAGMA(warning(disable : 4191)) \ + \ + DECLARE_STACK_OF(name) \ + \ + typedef void (*sk_##name##_free_func)(ptrtype); \ + typedef ptrtype (*sk_##name##_copy_func)(constptrtype); \ + typedef int (*sk_##name##_cmp_func)(constptrtype const *, \ + constptrtype const *); \ + typedef int (*sk_##name##_delete_if_func)(ptrtype, void *); \ + \ + OPENSSL_INLINE void sk_##name##_call_free_func( \ + OPENSSL_sk_free_func free_func, void *ptr) { \ + ((sk_##name##_free_func)free_func)((ptrtype)ptr); \ + } \ + \ + OPENSSL_INLINE void *sk_##name##_call_copy_func( \ + OPENSSL_sk_copy_func copy_func, const void *ptr) { \ + return (void *)((sk_##name##_copy_func)copy_func)((constptrtype)ptr); \ + } \ + \ + OPENSSL_INLINE int sk_##name##_call_cmp_func(OPENSSL_sk_cmp_func cmp_func, \ + const void *a, const void *b) { \ + constptrtype a_ptr = (constptrtype)a; \ + constptrtype b_ptr = (constptrtype)b; \ + /* |cmp_func| expects an extra layer of pointers to match qsort. */ \ + return ((sk_##name##_cmp_func)cmp_func)(&a_ptr, &b_ptr); \ + } \ + \ + OPENSSL_INLINE int sk_##name##_call_delete_if_func( \ + OPENSSL_sk_delete_if_func func, void *obj, void *data) { \ + return ((sk_##name##_delete_if_func)func)((ptrtype)obj, data); \ + } \ + \ + OPENSSL_INLINE STACK_OF(name) *sk_##name##_new(sk_##name##_cmp_func comp) { \ + return (STACK_OF(name) *)OPENSSL_sk_new((OPENSSL_sk_cmp_func)comp); \ + } \ + \ + OPENSSL_INLINE STACK_OF(name) *sk_##name##_new_null(void) { \ + return (STACK_OF(name) *)OPENSSL_sk_new_null(); \ + } \ + \ + OPENSSL_INLINE size_t sk_##name##_num(const STACK_OF(name) *sk) { \ + return OPENSSL_sk_num((const OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE void sk_##name##_zero(STACK_OF(name) *sk) { \ + OPENSSL_sk_zero((OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_value(const STACK_OF(name) *sk, \ + size_t i) { \ + return (ptrtype)OPENSSL_sk_value((const OPENSSL_STACK *)sk, i); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_set(STACK_OF(name) *sk, size_t i, \ + ptrtype p) { \ + return (ptrtype)OPENSSL_sk_set((OPENSSL_STACK *)sk, i, (void *)p); \ + } \ + \ + OPENSSL_INLINE void sk_##name##_free(STACK_OF(name) *sk) { \ + OPENSSL_sk_free((OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE void sk_##name##_pop_free(STACK_OF(name) *sk, \ + sk_##name##_free_func free_func) { \ + OPENSSL_sk_pop_free_ex((OPENSSL_STACK *)sk, sk_##name##_call_free_func, \ + (OPENSSL_sk_free_func)free_func); \ + } \ + \ + OPENSSL_INLINE size_t sk_##name##_insert(STACK_OF(name) *sk, ptrtype p, \ + size_t where) { \ + return OPENSSL_sk_insert((OPENSSL_STACK *)sk, (void *)p, where); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_delete(STACK_OF(name) *sk, \ + size_t where) { \ + return (ptrtype)OPENSSL_sk_delete((OPENSSL_STACK *)sk, where); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_delete_ptr(STACK_OF(name) *sk, \ + constptrtype p) { \ + return (ptrtype)OPENSSL_sk_delete_ptr((OPENSSL_STACK *)sk, \ + (const void *)p); \ + } \ + \ + OPENSSL_INLINE void sk_##name##_delete_if( \ + STACK_OF(name) *sk, sk_##name##_delete_if_func func, void *data) { \ + OPENSSL_sk_delete_if((OPENSSL_STACK *)sk, sk_##name##_call_delete_if_func, \ + (OPENSSL_sk_delete_if_func)func, data); \ + } \ + \ + OPENSSL_INLINE int sk_##name##_find(const STACK_OF(name) *sk, \ + size_t *out_index, constptrtype p) { \ + return OPENSSL_sk_find((const OPENSSL_STACK *)sk, out_index, \ + (const void *)p, sk_##name##_call_cmp_func); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_shift(STACK_OF(name) *sk) { \ + return (ptrtype)OPENSSL_sk_shift((OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE size_t sk_##name##_push(STACK_OF(name) *sk, ptrtype p) { \ + return OPENSSL_sk_push((OPENSSL_STACK *)sk, (void *)p); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_pop(STACK_OF(name) *sk) { \ + return (ptrtype)OPENSSL_sk_pop((OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE STACK_OF(name) *sk_##name##_dup(const STACK_OF(name) *sk) { \ + return (STACK_OF(name) *)OPENSSL_sk_dup((const OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE void sk_##name##_sort(STACK_OF(name) *sk) { \ + OPENSSL_sk_sort((OPENSSL_STACK *)sk, sk_##name##_call_cmp_func); \ + } \ + \ + OPENSSL_INLINE int sk_##name##_is_sorted(const STACK_OF(name) *sk) { \ + return OPENSSL_sk_is_sorted((const OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE sk_##name##_cmp_func sk_##name##_set_cmp_func( \ + STACK_OF(name) *sk, sk_##name##_cmp_func comp) { \ + return (sk_##name##_cmp_func)OPENSSL_sk_set_cmp_func( \ + (OPENSSL_STACK *)sk, (OPENSSL_sk_cmp_func)comp); \ + } \ + \ + OPENSSL_INLINE STACK_OF(name) *sk_##name##_deep_copy( \ + const STACK_OF(name) *sk, sk_##name##_copy_func copy_func, \ + sk_##name##_free_func free_func) { \ + return (STACK_OF(name) *)OPENSSL_sk_deep_copy( \ + (const OPENSSL_STACK *)sk, sk_##name##_call_copy_func, \ + (OPENSSL_sk_copy_func)copy_func, sk_##name##_call_free_func, \ + (OPENSSL_sk_free_func)free_func); \ + } \ + \ OPENSSL_MSVC_PRAGMA(warning(pop)) @@ -541,7 +561,9 @@ namespace internal { // Stacks defined with |DEFINE_CONST_STACK_OF| are freed with |sk_free|. template <typename Stack> struct DeleterImpl<Stack, std::enable_if_t<StackTraits<Stack>::kIsConst>> { - static void Free(Stack *sk) { sk_free(reinterpret_cast<_STACK *>(sk)); } + static void Free(Stack *sk) { + OPENSSL_sk_free(reinterpret_cast<OPENSSL_STACK *>(sk)); + } }; // Stacks defined with |DEFINE_STACK_OF| are freed with |sk_pop_free| and the @@ -552,11 +574,12 @@ struct DeleterImpl<Stack, std::enable_if_t<!StackTraits<Stack>::kIsConst>> { // sk_FOO_pop_free is defined by macros and bound by name, so we cannot // access it from C++ here. using Type = typename StackTraits<Stack>::Type; - sk_pop_free_ex(reinterpret_cast<_STACK *>(sk), - [](OPENSSL_sk_free_func /* unused */, void *ptr) { - DeleterImpl<Type>::Free(reinterpret_cast<Type *>(ptr)); - }, - nullptr); + OPENSSL_sk_pop_free_ex( + reinterpret_cast<OPENSSL_STACK *>(sk), + [](OPENSSL_sk_free_func /* unused */, void *ptr) { + DeleterImpl<Type>::Free(reinterpret_cast<Type *>(ptr)); + }, + nullptr); } }; @@ -577,7 +600,7 @@ class StackIteratorImpl { Type *operator*() const { return reinterpret_cast<Type *>( - sk_value(reinterpret_cast<const _STACK *>(sk_), idx_)); + OPENSSL_sk_value(reinterpret_cast<const OPENSSL_STACK *>(sk_), idx_)); } StackIteratorImpl &operator++(/* prefix */) { @@ -608,10 +631,10 @@ template <typename Stack> inline std::enable_if_t<!internal::StackTraits<Stack>::kIsConst, bool> PushToStack(Stack *sk, UniquePtr<typename internal::StackTraits<Stack>::Type> elem) { - if (!sk_push(reinterpret_cast<_STACK *>(sk), elem.get())) { + if (!OPENSSL_sk_push(reinterpret_cast<OPENSSL_STACK *>(sk), elem.get())) { return false; } - // sk_push takes ownership on success. + // OPENSSL_sk_push takes ownership on success. elem.release(); return true; } @@ -627,7 +650,7 @@ inline bssl::internal::StackIterator<Stack> begin(const Stack *sk) { template <typename Stack> inline bssl::internal::StackIterator<Stack> end(const Stack *sk) { return bssl::internal::StackIterator<Stack>( - sk, sk_num(reinterpret_cast<const _STACK *>(sk))); + sk, OPENSSL_sk_num(reinterpret_cast<const OPENSSL_STACK *>(sk))); } } // extern C++ diff --git a/linux-x86/include/openssl/target.h b/linux-x86/include/openssl/target.h new file mode 100644 index 0000000..f830c14 --- /dev/null +++ b/linux-x86/include/openssl/target.h @@ -0,0 +1,177 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_TARGET_H +#define OPENSSL_HEADER_TARGET_H + +// Preprocessor symbols that define the target platform. +// +// This file may be included in C, C++, and assembler and must be compatible +// with each environment. It is separated out only to share code between +// <openssl/base.h> and <openssl/asm_base.h>. Prefer to include those headers +// instead. + +#if defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) +#define OPENSSL_64_BIT +#define OPENSSL_X86_64 +#elif defined(__x86) || defined(__i386) || defined(__i386__) || defined(_M_IX86) +#define OPENSSL_32_BIT +#define OPENSSL_X86 +#elif defined(__AARCH64EL__) || defined(_M_ARM64) +#define OPENSSL_64_BIT +#define OPENSSL_AARCH64 +#elif defined(__ARMEL__) || defined(_M_ARM) +#define OPENSSL_32_BIT +#define OPENSSL_ARM +#elif defined(__MIPSEL__) && !defined(__LP64__) +#define OPENSSL_32_BIT +#define OPENSSL_MIPS +#elif defined(__MIPSEL__) && defined(__LP64__) +#define OPENSSL_64_BIT +#define OPENSSL_MIPS64 +#elif defined(__riscv) && __SIZEOF_POINTER__ == 8 +#define OPENSSL_64_BIT +#define OPENSSL_RISCV64 +#elif defined(__riscv) && __SIZEOF_POINTER__ == 4 +#define OPENSSL_32_BIT +#elif defined(__pnacl__) +#define OPENSSL_32_BIT +#define OPENSSL_PNACL +#elif defined(__wasm__) +#define OPENSSL_32_BIT +#elif defined(__asmjs__) +#define OPENSSL_32_BIT +#elif defined(__myriad2__) +#define OPENSSL_32_BIT +#else +// Note BoringSSL only supports standard 32-bit and 64-bit two's-complement, +// little-endian architectures. Functions will not produce the correct answer +// on other systems. Run the crypto_test binary, notably +// crypto/compiler_test.cc, before adding a new architecture. +#error "Unknown target CPU" +#endif + +#if defined(__APPLE__) +#define OPENSSL_APPLE +#endif + +#if defined(_WIN32) +#define OPENSSL_WINDOWS +#endif + +// Trusty and Android baremetal aren't't Linux but currently define __linux__. +// As a workaround, we exclude them here. +// +// TODO(b/169780122): Remove this workaround once Trusty no longer defines it. +// TODO(b/291101350): Remove this workaround once Android baremetal no longer +// defines it. +#if defined(__linux__) && !defined(__TRUSTY__) && !defined(ANDROID_BAREMETAL) +#define OPENSSL_LINUX +#endif + +#if defined(__Fuchsia__) +#define OPENSSL_FUCHSIA +#endif + +// Trusty is Android's TEE target. See +// https://source.android.com/docs/security/features/trusty +// +// Defining this on any other platform is not supported. Other embedded +// platforms must introduce their own defines. +#if defined(__TRUSTY__) +#define OPENSSL_TRUSTY +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + +// nanolibc is a particular minimal libc implementation. Defining this on any +// other platform is not supported. Other embedded platforms must introduce +// their own defines. +#if defined(OPENSSL_NANOLIBC) +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + +// Android baremetal is an embedded target that uses a subset of bionic. +// Defining this on any other platform is not supported. Other embedded +// platforms must introduce their own defines. +#if defined(ANDROID_BAREMETAL) +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + +#if defined(__ANDROID_API__) +#define OPENSSL_ANDROID +#endif + +#if defined(__FreeBSD__) +#define OPENSSL_FREEBSD +#endif + +#if defined(__OpenBSD__) +#define OPENSSL_OPENBSD +#endif + +// BoringSSL requires platform's locking APIs to make internal global state +// thread-safe, including the PRNG. On some single-threaded embedded platforms, +// locking APIs may not exist, so this dependency may be disabled with the +// following build flag. +// +// IMPORTANT: Doing so means the consumer promises the library will never be +// used in any multi-threaded context. It causes BoringSSL to be globally +// thread-unsafe. Setting it inappropriately will subtly and unpredictably +// corrupt memory and leak secret keys. +// +// Do not set this flag on any platform where threads are possible. BoringSSL +// maintainers will not provide support for any consumers that do so. Changes +// which break such unsupported configurations will not be reverted. +#if !defined(OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED) +#define OPENSSL_THREADS +#endif + +#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) && \ + !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) +#define BORINGSSL_UNSAFE_DETERMINISTIC_MODE +#endif + +#if defined(__has_feature) +#if __has_feature(address_sanitizer) +#define OPENSSL_ASAN +#endif +#if __has_feature(thread_sanitizer) +#define OPENSSL_TSAN +#endif +#if __has_feature(memory_sanitizer) +#define OPENSSL_MSAN +#define OPENSSL_ASM_INCOMPATIBLE +#endif +#if __has_feature(hwaddress_sanitizer) +#define OPENSSL_HWASAN +#endif +#endif + +#if defined(OPENSSL_ASM_INCOMPATIBLE) +#undef OPENSSL_ASM_INCOMPATIBLE +#if !defined(OPENSSL_NO_ASM) +#define OPENSSL_NO_ASM +#endif +#endif // OPENSSL_ASM_INCOMPATIBLE + +#endif // OPENSSL_HEADER_TARGET_H diff --git a/linux-x86/include/openssl/thread.h b/linux-x86/include/openssl/thread.h index c6e357e..366ad61 100644 --- a/linux-x86/include/openssl/thread.h +++ b/linux-x86/include/openssl/thread.h @@ -66,37 +66,13 @@ extern "C" { #endif -#if !defined(OPENSSL_THREADS) -typedef struct crypto_mutex_st { - char padding; // Empty structs have different sizes in C and C++. -} CRYPTO_MUTEX; -#elif defined(OPENSSL_WINDOWS) -// CRYPTO_MUTEX can appear in public header files so we really don't want to -// pull in windows.h. It's statically asserted that this structure is large -// enough to contain a Windows SRWLOCK by thread_win.c. -typedef union crypto_mutex_st { - void *handle; -} CRYPTO_MUTEX; -#elif !defined(__GLIBC__) -typedef pthread_rwlock_t CRYPTO_MUTEX; -#else -// On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't -// ensure that we'll be able to get it from a public header. It's statically -// asserted that this structure is large enough to contain a |pthread_rwlock_t| -// by thread_pthread.c. -typedef union crypto_mutex_st { - double alignment; - uint8_t padding[3*sizeof(int) + 5*sizeof(unsigned) + 16 + 8]; -} CRYPTO_MUTEX; -#endif - // CRYPTO_refcount_t is the type of a reference count. // // Since some platforms use C11 atomics to access this, it should have the // _Atomic qualifier. However, this header is included by C++ programs as well // as C code that might not set -std=c11. So, in practice, it's not possible to // do that. Instead we statically assert that the size and native alignment of -// a plain uint32_t and an _Atomic uint32_t are equal in refcount_c11.c. +// a plain uint32_t and an _Atomic uint32_t are equal in refcount.c. typedef uint32_t CRYPTO_refcount_t; diff --git a/linux-x86/include/openssl/tls1.h b/linux-x86/include/openssl/tls1.h index 724d580..772fb87 100644 --- a/linux-x86/include/openssl/tls1.h +++ b/linux-x86/include/openssl/tls1.h @@ -408,6 +408,8 @@ extern "C" { #define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA 0x0300C013 #define TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA 0x0300C014 +#define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0x0300C027 + #define TLS1_CK_ECDH_anon_WITH_NULL_SHA 0x0300C015 #define TLS1_CK_ECDH_anon_WITH_RC4_128_SHA 0x0300C016 #define TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA 0x0300C017 @@ -518,6 +520,8 @@ extern "C" { #define TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA "ECDHE-RSA-AES128-SHA" #define TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA "ECDHE-RSA-AES256-SHA" +#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA256 "ECDHE-RSA-AES128-SHA256" + #define TLS1_TXT_ECDH_anon_WITH_NULL_SHA "AECDH-NULL-SHA" #define TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA "AECDH-RC4-SHA" #define TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA "AECDH-DES-CBC3-SHA" diff --git a/linux-x86/include/openssl/x509.h b/linux-x86/include/openssl/x509.h index 8deb767..0334457 100644 --- a/linux-x86/include/openssl/x509.h +++ b/linux-x86/include/openssl/x509.h @@ -1999,7 +1999,7 @@ OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk, // // WARNING: Unlike most comparison functions, this function returns zero on // error, not equality. -OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t); +OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, const time_t *t); // X509_cmp_time_posix compares |s| against |t|. On success, it returns a // negative number if |s| <= |t| and a positive number if |s| > |t|. On error, @@ -2015,12 +2015,12 @@ OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); // X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, - time_t *t); + const time_t *t); // X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If // |t| is NULL, it uses the current time instead of |*t|. OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, - long offset_sec, time_t *t); + long offset_sec, const time_t *t); // X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the // current time. @@ -2529,7 +2529,7 @@ OPENSSL_EXPORT X509_TRUST *X509_TRUST_get0(int idx); OPENSSL_EXPORT int X509_TRUST_get_by_id(int id); OPENSSL_EXPORT int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), - char *name, int arg1, void *arg2); + const char *name, int arg1, void *arg2); OPENSSL_EXPORT void X509_TRUST_cleanup(void); OPENSSL_EXPORT int X509_TRUST_get_flags(const X509_TRUST *xp); OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp); @@ -2770,6 +2770,11 @@ OPENSSL_EXPORT void X509_STORE_set_verify(X509_STORE *ctx, OPENSSL_EXPORT void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify); OPENSSL_EXPORT X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx); + +// X509_STORE_set_verify_cb acts like |X509_STORE_CTX_set_verify_cb| but sets +// the verify callback for any |X509_STORE_CTX| created from this |X509_STORE| +// +// Do not use this funciton. see |X509_STORE_CTX_set_verify_cb|. OPENSSL_EXPORT void X509_STORE_set_verify_cb( X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); #define X509_STORE_set_verify_cb_func(ctx, func) \ @@ -2859,14 +2864,12 @@ OPENSSL_EXPORT int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, OPENSSL_EXPORT int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); -#ifndef OPENSSL_NO_STDIO OPENSSL_EXPORT int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type); OPENSSL_EXPORT int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type); OPENSSL_EXPORT int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type); -#endif OPENSSL_EXPORT X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method); OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx); @@ -2875,11 +2878,9 @@ OPENSSL_EXPORT int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, X509_OBJECT *ret); OPENSSL_EXPORT int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); -#ifndef OPENSSL_NO_STDIO OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *ctx, const char *file, const char *dir); OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *ctx); -#endif OPENSSL_EXPORT int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); @@ -2910,8 +2911,27 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, unsigned long flags, int64_t t); + +// X509_STORE_CTX_set_verify_cb configures a callback function for |ctx| that is +// called multiple times during |X509_verify_cert|. The callback returns zero to +// fail verification and non-zero to proceed. Typically, it will return |ok|, +// which preserves the default behavior. Returning one when |ok| is zero will +// proceed past some error. The callback may inspect |ctx| and the error queue +// to attempt to determine the current stage of certificate verification, but +// this is often unreliable. +// +// WARNING: Do not use this function. It is extremely fragile and unpredictable. +// This callback exposes implementation details of certificate verification, +// which change as the library evolves. Attempting to use it for security checks +// can introduce vulnerabilities if making incorrect assumptions about when the +// callback is called. Additionally, overriding |ok| may leave |ctx| in an +// inconsistent state and break invariants. +// +// Instead, customize certificate verification by configuring options on the +// |X509_STORE_CTX| before verification, or applying additional checks after +// |X509_verify_cert| completes successfully. OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb( - X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)); + X509_STORE_CTX *ctx, int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( X509_STORE_CTX *ctx); diff --git a/linux-x86/include/openssl/x509v3.h b/linux-x86/include/openssl/x509v3.h index d9c862d..2a2e02c 100644 --- a/linux-x86/include/openssl/x509v3.h +++ b/linux-x86/include/openssl/x509v3.h @@ -549,9 +549,11 @@ OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val); // // These functions are not safe to use with untrusted inputs. The string formats // may implicitly reference context information and, in OpenSSL (though not -// BoringSSL), one even allows reading arbitrary files. They additionally see -// much less testing and review than most of the library and may have bugs -// including memory leaks or crashes. +// BoringSSL), one even allows reading arbitrary files. Many formats can also +// produce far larger outputs than their inputs, so untrusted inputs may lead to +// denial-of-service attacks. Finally, the parsers see much less testing and +// review than most of the library and may have bugs including memory leaks or +// crashes. // v3_ext_ctx, aka |X509V3_CTX|, contains additional context information for // constructing extensions. Some string formats reference additional values in @@ -904,12 +906,13 @@ OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509); OPENSSL_EXPORT int X509_PURPOSE_get_count(void); OPENSSL_EXPORT X509_PURPOSE *X509_PURPOSE_get0(int idx); -OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(char *sname); +OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname); OPENSSL_EXPORT int X509_PURPOSE_get_by_id(int id); OPENSSL_EXPORT int X509_PURPOSE_add(int id, int trust, int flags, int (*ck)(const X509_PURPOSE *, const X509 *, int), - char *name, char *sname, void *arg); + const char *name, const char *sname, + void *arg); OPENSSL_EXPORT char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp); OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp); OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); |