From 6904becae3568781e258837f8f27a5c1e51a2db8 Mon Sep 17 00:00:00 2001 From: samuel40791765 Date: Mon, 6 May 2024 18:53:58 +0000 Subject: [PATCH 1/8] add support for PKCS12_new --- crypto/pkcs8/pkcs8_x509.c | 8 ++++++-- include/openssl/pkcs8.h | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c index c613bf121e..86148739c6 100644 --- a/crypto/pkcs8/pkcs8_x509.c +++ b/crypto/pkcs8/pkcs8_x509.c @@ -741,7 +741,7 @@ struct pkcs12_st { PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) { - PKCS12 *p12 = OPENSSL_malloc(sizeof(PKCS12)); + PKCS12 *p12 = PKCS12_new(); if (!p12) { return NULL; } @@ -1328,7 +1328,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, goto err; } - ret = OPENSSL_malloc(sizeof(PKCS12)); + ret = PKCS12_new(); if (ret == NULL || !CBB_finish(&cbb, &ret->ber_bytes, &ret->ber_len)) { OPENSSL_free(ret); @@ -1342,6 +1342,10 @@ PKCS12 *PKCS12_create(const char *password, const char *name, return ret; } +PKCS12 *PKCS12_new(void) { + return OPENSSL_zalloc(sizeof(PKCS12)); +} + void PKCS12_free(PKCS12 *p12) { if (p12 == NULL) { return; diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h index 8774681e8b..e93724135b 100644 --- a/include/openssl/pkcs8.h +++ b/include/openssl/pkcs8.h @@ -232,6 +232,9 @@ OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name, int cert_nid, int iterations, int mac_iterations, int key_type); +// PKCS12_new returns a newly-allocated |PKCS12| object. +OPENSSL_EXPORT PKCS12 *PKCS12_new(void); + // PKCS12_free frees |p12| and its contents. OPENSSL_EXPORT void PKCS12_free(PKCS12 *p12); From 457c55c2770f5db433d8900480d09cb00b14ecec Mon Sep 17 00:00:00 2001 From: samuel40791765 Date: Tue, 7 May 2024 23:18:54 +0000 Subject: [PATCH 2/8] Add additional SSL_OP_* no-ops --- docs/porting/configuration-differences.md | 47 ++++++++++++++++++++++- include/openssl/ssl.h | 22 ++++++++++- 2 files changed, 67 insertions(+), 2 deletions(-) diff --git a/docs/porting/configuration-differences.md b/docs/porting/configuration-differences.md index 618d370942..c73f721e8e 100644 --- a/docs/porting/configuration-differences.md +++ b/docs/porting/configuration-differences.md @@ -144,7 +144,7 @@ The following table contains the differences in libssl configuration options AWS - +

@@ -188,6 +188,21 @@ The following table contains the differences in libssl configuration options AWS

NO-OP

+ + +

+ + SSL_OP_CRYPTOPRO_TLSEXT_BUG + +

+ + +

OFF

+ + +

NO-OP

+ +

@@ -280,6 +295,36 @@ The following table contains the differences in libssl configuration options AWS

NO-OP

+ + + +

+ + SSL_OP_SAFARI_ECDHE_ECDSA_BUG + +

+ + +

ON

+ + +

NO-OP

+ + + + +

+ + SSL_OP_TLSEXT_PADDING + +

+ + +

ON

+ + +

NO-OP

+ diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 2a4b6587c2..eccdf28a96 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -5618,6 +5618,14 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // unpatched clients and servers and is intentionally not supported in AWS-LC. #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0 +// SSL_OP_CRYPTOPRO_TLSEXT_BUG is OFF by default in AWS-LC. Turning this ON in +// OpenSSL lets the server add a server-hello extension from early version of +// the cryptopro draft, when the GOST ciphersuite is negotiated. Required for +// interoperability with CryptoPro CSP 3.x. +// +// Note: AWS-LC does not support GOST ciphersuites. +#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0 + // SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is ON by default in AWS-LC. This // disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability // affecting CBC ciphers, which cannot be handled by some broken SSL @@ -5642,7 +5650,7 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // This always starts a new session when performing renegotiation as a server // (i.e., session resumption requests are only accepted in the initial // handshake). -// There is no support for renegototiation for a server in AWS-LC +// There is no support for renegototiation for a server in AWS-LC. #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 // SSL_OP_NO_SSLv2 is ON by default in AWS-LC. There is no support for SSLv2 in @@ -5653,6 +5661,18 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // AWS-LC #define SSL_OP_NO_SSLv3 0 +// SSL_OP_SAFARI_ECDHE_ECDSA_BUG is OFF by default in AWS-LC. Turning this ON in +// OpenSSL lets the application not prefer ECDHE-ECDSA ciphers when the client +// appears to be Safari on OSX. +// +// Note: OS X 10.8..10.8.3 broke support for ECDHE-ECDSA ciphers. +#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0 + +// SSL_OP_TLSEXT_PADDING is OFF by default in AWS-LC. Turning this ON in OpenSSL +// adds a padding extension to ensure the ClientHello size is never between 256 +// and 511 bytes in length. This is needed as a workaround for F5 terminators. +#define SSL_OP_TLSEXT_PADDING 0 + // SSL_OP_TLS_ROLLBACK_BUG is OFF by default in AWS-LC. Turning this ON in // OpenSSL disables version rollback attack detection and is intentionally not // supported in AWS-LC. From 53b3dbc7cc83b580a71c807d9af13714064f01d5 Mon Sep 17 00:00:00 2001 From: samuel40791765 Date: Wed, 8 May 2024 22:18:11 +0000 Subject: [PATCH 3/8] add CONF_get1_default_config_file as a noop --- crypto/conf/conf.c | 12 ++++++++++++ docs/porting/functionality-differences.md | 12 ++++++++++-- include/openssl/conf.h | 4 ++++ 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c index 64fb856a3b..8259f533a6 100644 --- a/crypto/conf/conf.c +++ b/crypto/conf/conf.c @@ -642,6 +642,18 @@ int CONF_modules_load_file(const char *filename, const char *appname, return 1; } +char *CONF_get1_default_config_file(void) { + const char *temp = "No support for Config files in AWS-LC."; + size_t temp_len = strlen(temp); + + char *ret = (char *)OPENSSL_malloc(temp_len); + if(ret == NULL) { + OPENSSL_PUT_ERROR(CONF, ERR_R_MALLOC_FAILURE); + } + OPENSSL_memcpy(ret, temp, temp_len); + return ret; +} + void CONF_modules_free(void) {} void CONF_modules_unload(int all) {} diff --git a/docs/porting/functionality-differences.md b/docs/porting/functionality-differences.md index 6798e0b709..01161d7523 100644 --- a/docs/porting/functionality-differences.md +++ b/docs/porting/functionality-differences.md @@ -480,10 +480,10 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi - +

CONF modules

- +

@@ -498,6 +498,14 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

Returns one.

+ + + +

CONF_get1_default_config_file

+ + +

Returns a fixed dummy string("No support for Config files in AWS-LC.")

+ diff --git a/include/openssl/conf.h b/include/openssl/conf.h index 2a829ae9e2..cd6c615703 100644 --- a/include/openssl/conf.h +++ b/include/openssl/conf.h @@ -142,6 +142,10 @@ OPENSSL_EXPORT const char *NCONF_get_string(const CONF *conf, OPENSSL_EXPORT OPENSSL_DEPRECATED int CONF_modules_load_file( const char *filename, const char *appname, unsigned long flags); +// CONF_get1_default_config_file returns a fixed dummy string. AWS-LC is defined +// to have no config file options. +OPENSSL_EXPORT OPENSSL_DEPRECATED char *CONF_get1_default_config_file(void); + // CONF_modules_free does nothing. OPENSSL_EXPORT OPENSSL_DEPRECATED void CONF_modules_free(void); From 09f7a0b63a0c985d198c83245f93dacf1e7b72fd Mon Sep 17 00:00:00 2001 From: samuel40791765 Date: Thu, 9 May 2024 00:33:44 +0000 Subject: [PATCH 4/8] return null on allocation failure --- crypto/conf/conf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c index 8259f533a6..a3bc9eba49 100644 --- a/crypto/conf/conf.c +++ b/crypto/conf/conf.c @@ -649,6 +649,7 @@ char *CONF_get1_default_config_file(void) { char *ret = (char *)OPENSSL_malloc(temp_len); if(ret == NULL) { OPENSSL_PUT_ERROR(CONF, ERR_R_MALLOC_FAILURE); + return NULL; } OPENSSL_memcpy(ret, temp, temp_len); return ret; From 4d6b09cf91ea2e6da8ce2ae732d828e940418d8b Mon Sep 17 00:00:00 2001 From: samuel40791765 Date: Thu, 9 May 2024 18:24:01 +0000 Subject: [PATCH 5/8] Use malloc and add small test --- crypto/pkcs8/pkcs12_test.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/crypto/pkcs8/pkcs12_test.cc b/crypto/pkcs8/pkcs12_test.cc index e23851ea9f..bb15f87cf9 100644 --- a/crypto/pkcs8/pkcs12_test.cc +++ b/crypto/pkcs8/pkcs12_test.cc @@ -674,3 +674,9 @@ TEST(PKCS12Test, CreateWithAlias) { ASSERT_EQ(alias, std::string(reinterpret_cast(parsed_alias), static_cast(alias_len))); } + +TEST(PKCS12Test, BasicAlloc) { + // Test direct allocation of |PKCS12_new| and |PKCS12_free|. + bssl::UniquePtr p12(PKCS12_new()); + ASSERT_TRUE(p12); +} From 01bd8841ab1a4304aa87e441edb2f4a4bb65d512 Mon Sep 17 00:00:00 2001 From: samuel40791765 Date: Fri, 10 May 2024 21:14:41 +0000 Subject: [PATCH 6/8] remove extra error message --- crypto/conf/conf.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c index a3bc9eba49..f4dd073415 100644 --- a/crypto/conf/conf.c +++ b/crypto/conf/conf.c @@ -648,7 +648,6 @@ char *CONF_get1_default_config_file(void) { char *ret = (char *)OPENSSL_malloc(temp_len); if(ret == NULL) { - OPENSSL_PUT_ERROR(CONF, ERR_R_MALLOC_FAILURE); return NULL; } OPENSSL_memcpy(ret, temp, temp_len); From 97beb2fb3f44b38f284d2b891203400044a393c0 Mon Sep 17 00:00:00 2001 From: samuel40791765 Date: Fri, 24 May 2024 00:09:33 +0000 Subject: [PATCH 7/8] add null termination count --- crypto/conf/conf.c | 2 +- crypto/conf/conf_test.cc | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c index f4dd073415..85571f4991 100644 --- a/crypto/conf/conf.c +++ b/crypto/conf/conf.c @@ -644,7 +644,7 @@ int CONF_modules_load_file(const char *filename, const char *appname, char *CONF_get1_default_config_file(void) { const char *temp = "No support for Config files in AWS-LC."; - size_t temp_len = strlen(temp); + size_t temp_len = strlen(temp) + 1; char *ret = (char *)OPENSSL_malloc(temp_len); if(ret == NULL) { diff --git a/crypto/conf/conf_test.cc b/crypto/conf/conf_test.cc index 9b3e00533b..92e52db5f9 100644 --- a/crypto/conf/conf_test.cc +++ b/crypto/conf/conf_test.cc @@ -401,3 +401,8 @@ TEST(ConfTest, ParseList) { EXPECT_EQ(result, t.expected); } } + +TEST(ConfTest, NoopString) { + bssl::UniquePtr string(CONF_get1_default_config_file()); + EXPECT_STREQ("No support for Config files in AWS-LC.", string.get()); +} From de56c61c0fc62b486449663900be5d7a31f46ed2 Mon Sep 17 00:00:00 2001 From: samuel40791765 Date: Fri, 31 May 2024 22:25:44 +0000 Subject: [PATCH 8/8] use OPENSSL_strdup instead --- crypto/conf/conf.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c index 85571f4991..7e049bb303 100644 --- a/crypto/conf/conf.c +++ b/crypto/conf/conf.c @@ -643,15 +643,7 @@ int CONF_modules_load_file(const char *filename, const char *appname, } char *CONF_get1_default_config_file(void) { - const char *temp = "No support for Config files in AWS-LC."; - size_t temp_len = strlen(temp) + 1; - - char *ret = (char *)OPENSSL_malloc(temp_len); - if(ret == NULL) { - return NULL; - } - OPENSSL_memcpy(ret, temp, temp_len); - return ret; + return OPENSSL_strdup("No support for Config files in AWS-LC."); } void CONF_modules_free(void) {}