kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Tweaks for node.js

Browse Source 
node.js is, effectively, another bindings library. However, it's better
written than most and, with these changes, only a couple of tiny fixes
are needed in node.js. Some of these changes are a little depressing
however so we'll need to push node.js to use APIs where possible.

Changes:
  ∙ Support verify_recover. This is very obscure and the motivation
    appears to be https://github.com/nodejs/node/issues/477 – where it's
    not clear that anyone understands what it means :(
  ∙ Add a few, no-op #defines
  ∙ Add some members to |SSL_CTX| and |SSL| – node.js needs to not
    reach into these structs in the future.
  ∙ Add EC_get_builtin_curves.
  ∙ Add EVP_[CIPHER|MD]_do_all_sorted – these functions are limited to
    decrepit.

Change-Id: I9a3566054260d6c4db9d430beb7c46cc970a9d46
Reviewed-on: https://boringssl-review.googlesource.com/6952
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
Adam Langley 2016-01-24 15:58:39 -08:00 committed by Adam Langley
parent eac0ce09d8
commit ce9d85eedd
16 changed files with 453 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
crypto/ec/ec.c
View File

@ -883,3 +883,21 @@ void EC_GROUP_set_point_conversion_form(EC_GROUP *group,
abort();
}
}
size_t EC_get_builtin_curves(EC_builtin_curve *out_curves,
size_t max_num_curves) {
unsigned num_built_in_curves;
for (num_built_in_curves = 0;; num_built_in_curves++) {
if (OPENSSL_built_in_curves[num_built_in_curves].nid == NID_undef) {
break;
}
}
unsigned i;
for (i = 0; i < max_num_curves && i < num_built_in_curves; i++) {
out_curves[i].comment = OPENSSL_built_in_curves[i].data->comment;
out_curves[i].nid = OPENSSL_built_in_curves[i].nid;
}
return num_built_in_curves;
}

29
crypto/evp/evp_ctx.c
View File

@ -342,6 +342,35 @@ int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,
return ctx->pmeth->decrypt(ctx, out, outlen, in, inlen);
}
int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx) {
if (!ctx || !ctx->pmeth || !ctx->pmeth->verify_recover) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return 0;
}
ctx->operation = EVP_PKEY_OP_VERIFYRECOVER;
if (!ctx->pmeth->verify_recover_init) {
return 1;
}
if (!ctx->pmeth->verify_recover_init(ctx)) {
ctx->operation = EVP_PKEY_OP_UNDEFINED;
return 0;
}
return 1;
}
int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len,
const uint8_t *sig, size_t sig_len) {
if (!ctx || !ctx->pmeth || !ctx->pmeth->verify_recover) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);
return 0;
}
if (ctx->operation != EVP_PKEY_OP_VERIFYRECOVER) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED);
return 0;
}
return ctx->pmeth->verify_recover(ctx, out, out_len, sig, sig_len);
}
int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx) {
if (!ctx || !ctx->pmeth || !ctx->pmeth->derive) {
OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);

85
crypto/evp/evp_extra_test.cc
View File

@ -15,6 +15,7 @@
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <utility>
#include <vector>
@ -658,6 +659,84 @@ static bool TestEVP_DigestVerifyInitFromAlgorithm(void) {
return true;
}
static bool TestVerifyRecover() {
ScopedEVP_PKEY pkey = LoadExampleRSAKey();
if (!pkey) {
return false;
}
ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey.get()));
if (!rsa) {
return false;
}
const uint8_t kDummyHash[32] = {0};
uint8_t sig[2048/8];
unsigned sig_len = sizeof(sig);
if (!RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), sig, &sig_len,
rsa.get())) {
fprintf(stderr, "RSA_sign failed.\n");
ERR_print_errors_fp(stderr);
return false;
}
size_t out_len;
ScopedEVP_PKEY_CTX ctx(EVP_PKEY_CTX_new(pkey.get(), nullptr));
if (!EVP_PKEY_verify_recover_init(ctx.get()) ||
!EVP_PKEY_CTX_set_rsa_padding(ctx.get(), RSA_PKCS1_PADDING) ||
!EVP_PKEY_CTX_set_signature_md(ctx.get(), EVP_sha256()) ||
!EVP_PKEY_verify_recover(ctx.get(), nullptr, &out_len, sig, sig_len)) {
fprintf(stderr, "verify_recover failed will nullptr buffer.\n");
ERR_print_errors_fp(stderr);
return false;
}
std::vector<uint8_t> recovered;
recovered.resize(out_len);
if (!EVP_PKEY_verify_recover(ctx.get(), recovered.data(), &out_len, sig,
sig_len)) {
fprintf(stderr, "verify_recover failed.\n");
ERR_print_errors_fp(stderr);
return false;
}
if (out_len != sizeof(kDummyHash)) {
fprintf(stderr, "verify_recover length is %u, expected %u.\n",
static_cast<unsigned>(out_len),
static_cast<unsigned>(sizeof(kDummyHash)));
return false;
}
if (memcmp(recovered.data(), kDummyHash, sizeof(kDummyHash)) != 0) {
fprintf(stderr, "verify_recover got wrong value.\n");
ERR_print_errors_fp(stderr);
return false;
}
out_len = recovered.size();
if (!EVP_PKEY_CTX_set_signature_md(ctx.get(), nullptr) ||
!EVP_PKEY_verify_recover(ctx.get(), recovered.data(), &out_len, sig,
sig_len)) {
fprintf(stderr, "verify_recover failed with NULL MD.\n");
ERR_print_errors_fp(stderr);
return false;
}
/* The size of a SHA-256 hash plus PKCS#1 v1.5 ASN.1 stuff happens to be 51
* bytes. */
static const size_t kExpectedASN1Size = 51;
if (out_len != kExpectedASN1Size) {
fprintf(stderr, "verify_recover length without MD is %u, expected %u.\n",
static_cast<unsigned>(out_len),
static_cast<unsigned>(kExpectedASN1Size));
return false;
}
return true;
}
static bool TestBadPSSParameters(void) {
CBS in, tbs_cert, signature;
ScopedEVP_PKEY pkey;
@ -835,6 +914,12 @@ int main(void) {
return 1;
}
if (!TestVerifyRecover()) {
fprintf(stderr, "EVP_PKEY_verify_recover failed\n");
ERR_print_errors_fp(stderr);
return 1;
}
if (!TestBadPSSParameters()) {
fprintf(stderr, "TestBadPSSParameters failed\n");
ERR_print_errors_fp(stderr);

4
crypto/evp/internal.h
View File

@ -249,6 +249,10 @@ struct evp_pkey_method_st {
int (*verify)(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen,
const uint8_t *tbs, size_t tbslen);
int (*verify_recover_init)(EVP_PKEY_CTX *ctx);
int (*verify_recover)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len,
const uint8_t *sig, size_t sig_len);
int (*encrypt_init)(EVP_PKEY_CTX *ctx);
int (*encrypt)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,
const uint8_t *in, size_t inlen);

29
crypto/evp/p_ec.c
View File

@ -273,11 +273,26 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
}
const EVP_PKEY_METHOD ec_pkey_meth = {
EVP_PKEY_EC, 0 /* flags */, pkey_ec_init,
pkey_ec_copy, pkey_ec_cleanup, 0 /* paramgen_init */,
pkey_ec_paramgen, 0 /* keygen_init */, pkey_ec_keygen,
0 /* sign_init */, pkey_ec_sign, 0 /* verify_init */,
pkey_ec_verify, 0 /* encrypt_init */, 0 /* encrypt */,
0 /* decrypt_init */, 0 /* decrypt */, 0 /* derive_init */,
pkey_ec_derive, pkey_ec_ctrl,
EVP_PKEY_EC,
0 /* flags */,
pkey_ec_init,
pkey_ec_copy,
pkey_ec_cleanup,
0 /* paramgen_init */,
pkey_ec_paramgen,
0 /* keygen_init */,
pkey_ec_keygen,
0 /* sign_init */,
pkey_ec_sign,
0 /* verify_init */,
pkey_ec_verify,
0 /* verify_recover_init */,
0 /* verify_recover */,
0 /* encrypt_init */,
0 /* encrypt */,
0 /* decrypt_init */,
0 /* decrypt */,
0 /* derive_init */,
pkey_ec_derive,
pkey_ec_ctrl,
};

104
crypto/evp/p_rsa.c
View File

@ -256,6 +256,81 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig,
return 1;
}
static int pkey_rsa_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out,
size_t *out_len, const uint8_t *sig,
size_t sig_len) {
RSA_PKEY_CTX *rctx = ctx->data;
RSA *rsa = ctx->pkey->pkey.rsa;
const size_t key_len = EVP_PKEY_size(ctx->pkey);
if (out == NULL) {
*out_len = key_len;
return 1;
}
if (*out_len < key_len) {
OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
return 0;
}
if (!setup_tbuf(rctx, ctx)) {
return 0;
}
if (rctx->md == NULL) {
const size_t ret = RSA_public_decrypt(sig_len, sig, rctx->tbuf,
ctx->pkey->pkey.rsa, rctx->pad_mode);
if (ret < 0) {
return 0;
}
*out_len = ret;
memcpy(out, rctx->tbuf, *out_len);
return 1;
}
if (rctx->pad_mode != RSA_PKCS1_PADDING) {
return 0;
}
uint8_t *asn1_prefix;
size_t asn1_prefix_len;
int asn1_prefix_allocated;
if (!RSA_add_pkcs1_prefix(&asn1_prefix, &asn1_prefix_len,
&asn1_prefix_allocated, EVP_MD_type(rctx->md), NULL,
0)) {
return 0;
}
size_t rslen;
int ok = 1;
if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len,
RSA_PKCS1_PADDING) ||
rslen < asn1_prefix_len ||
CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len) != 0) {
ok = 0;
}
if (asn1_prefix_allocated) {
OPENSSL_free(asn1_prefix);
}
if (!ok) {
return 0;
}
const size_t result_len = rslen - asn1_prefix_len;
if (result_len != EVP_MD_size(rctx->md)) {
return 0;
}
if (out != NULL) {
memcpy(out, rctx->tbuf + asn1_prefix_len, result_len);
}
*out_len = result_len;
return 1;
}
static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,
const uint8_t *in, size_t inlen) {
RSA_PKEY_CTX *rctx = ctx->data;
@ -503,13 +578,28 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
}
const EVP_PKEY_METHOD rsa_pkey_meth = {
EVP_PKEY_RSA, 0 /* flags */, pkey_rsa_init,
pkey_rsa_copy, pkey_rsa_cleanup, 0 /* paramgen_init */,
0 /* paramgen */, 0 /* keygen_init */, pkey_rsa_keygen,
0 /* sign_init */, pkey_rsa_sign, 0 /* verify_init */,
pkey_rsa_verify, 0 /* encrypt_init */, pkey_rsa_encrypt,
0 /* decrypt_init */, pkey_rsa_decrypt, 0 /* derive_init */,
0 /* derive */, pkey_rsa_ctrl,
EVP_PKEY_RSA,
0 /* flags */,
pkey_rsa_init,
pkey_rsa_copy,
pkey_rsa_cleanup,
0 /* paramgen_init */,
0 /* paramgen */,
0 /* keygen_init */,
pkey_rsa_keygen,
0 /* sign_init */,
pkey_rsa_sign,
0 /* verify_init */,
pkey_rsa_verify,
0 /* verify_recover_init */,
pkey_rsa_verify_recover,
0 /* encrypt_init */,
pkey_rsa_encrypt,
0 /* decrypt_init */,
pkey_rsa_decrypt,
0 /* derive_init */,
0 /* derive */,
pkey_rsa_ctrl,
};
int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) {

2
decrepit/CMakeLists.txt
View File

@ -2,6 +2,7 @@ add_subdirectory(bio)
add_subdirectory(blowfish)
add_subdirectory(cast)
add_subdirectory(des)
add_subdirectory(evp)
add_subdirectory(rsa)
add_subdirectory(xts)
@ -12,6 +13,7 @@ add_library(
$<TARGET_OBJECTS:blowfish>
$<TARGET_OBJECTS:cast>
$<TARGET_OBJECTS:des_decrepit>
$<TARGET_OBJECTS:evp_decrepit>
$<TARGET_OBJECTS:rsa_decrepit>
$<TARGET_OBJECTS:xts>
)

9
decrepit/evp/CMakeLists.txt Normal file
View File

@ -0,0 +1,9 @@
include_directories(../../include)
add_library(
evp_decrepit
OBJECT
evp_do_all.c
)

77
decrepit/evp/evp_do_all.c Normal file
View File

@ -0,0 +1,77 @@
/* Copyright (c) 2016, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <openssl/evp.h>
void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
const char *name,
const char *unused, void *arg),
void *arg) {
callback(EVP_aes_128_cbc(), "AES-128-CBC", NULL, arg);
callback(EVP_aes_128_ctr(), "AES-128-CTR", NULL, arg);
callback(EVP_aes_128_ecb(), "AES-128-ECB", NULL, arg);
callback(EVP_aes_128_ofb(), "AES-128-OFB", NULL, arg);
callback(EVP_aes_256_cbc(), "AES-256-CBC", NULL, arg);
callback(EVP_aes_256_ctr(), "AES-256-CTR", NULL, arg);
callback(EVP_aes_256_ecb(), "AES-256-ECB", NULL, arg);
callback(EVP_aes_256_ofb(), "AES-256-OFB", NULL, arg);
callback(EVP_aes_256_xts(), "AES-256-XTS", NULL, arg);
callback(EVP_des_cbc(), "DES-CBC", NULL, arg);
callback(EVP_des_ecb(), "DES-ECB", NULL, arg);
callback(EVP_des_ede(), "DES-EDE", NULL, arg);
callback(EVP_des_ede_cbc(), "DES-EDE-CBC", NULL, arg);
callback(EVP_des_ede3_cbc(), "DES-EDE3-CBC", NULL, arg);
callback(EVP_rc2_cbc(), "RC2-CBC", NULL, arg);
callback(EVP_rc4(), "RC4", NULL, arg);
/* OpenSSL returns everything twice, the second time in lower case. */
callback(EVP_aes_128_cbc(), "aes-128-cbc", NULL, arg);
callback(EVP_aes_128_ctr(), "aes-128-ctr", NULL, arg);
callback(EVP_aes_128_ecb(), "aes-128-ecb", NULL, arg);
callback(EVP_aes_128_ofb(), "aes-128-ofb", NULL, arg);
callback(EVP_aes_256_cbc(), "aes-256-cbc", NULL, arg);
callback(EVP_aes_256_ctr(), "aes-256-ctr", NULL, arg);
callback(EVP_aes_256_ecb(), "aes-256-ecb", NULL, arg);
callback(EVP_aes_256_ofb(), "aes-256-ofb", NULL, arg);
callback(EVP_aes_256_xts(), "aes-256-xts", NULL, arg);
callback(EVP_des_cbc(), "des-cbc", NULL, arg);
callback(EVP_des_ecb(), "des-ecb", NULL, arg);
callback(EVP_des_ede(), "des-ede", NULL, arg);
callback(EVP_des_ede_cbc(), "des-ede-cbc", NULL, arg);
callback(EVP_des_ede3_cbc(), "des-ede3-cbc", NULL, arg);
callback(EVP_rc2_cbc(), "rc2-cbc", NULL, arg);
callback(EVP_rc4(), "rc4", NULL, arg);
}
void EVP_MD_do_all_sorted(void (*callback)(const EVP_MD *cipher,
const char *name, const char *unused,
void *arg),
void *arg) {
callback(EVP_md4(), "MD4", NULL, arg);
callback(EVP_md5(), "MD5", NULL, arg);
callback(EVP_sha1(), "SHA1", NULL, arg);
callback(EVP_sha224(), "SHA224", NULL, arg);
callback(EVP_sha256(), "SHA256", NULL, arg);
callback(EVP_sha384(), "SHA384", NULL, arg);
callback(EVP_sha512(), "SHA512", NULL, arg);
callback(EVP_md4(), "md4", NULL, arg);
callback(EVP_md5(), "md5", NULL, arg);
callback(EVP_sha1(), "sha1", NULL, arg);
callback(EVP_sha224(), "sha224", NULL, arg);
callback(EVP_sha256(), "sha256", NULL, arg);
callback(EVP_sha384(), "sha384", NULL, arg);
callback(EVP_sha512(), "sha512", NULL, arg);
}

5
include/openssl/bio.h
View File

@ -711,6 +711,11 @@ OPENSSL_EXPORT int BIO_zero_copy_get_write_buf_done(BIO* bio,
#define BIO_CTRL_GET_CALLBACK 15 /* opt - set callback function */
#define BIO_CTRL_SET_FILENAME 30 /* BIO_s_file special */
/* These are never used, but exist to allow code to compile more easily. */
#define BIO_CTRL_DUP 100
#define BIO_CTRL_PUSH 101
#define BIO_CTRL_POP 102
/* Android compatibility section.
*

4
include/openssl/crypto.h
View File

@ -42,7 +42,9 @@ OPENSSL_EXPORT void CRYPTO_library_init(void);
/* Deprecated functions. */
#define OPENSSL_VERSION_TEXT "BoringSSL"
/* OPENSSL_VERSION_TEXT contains a string the identifies the version of
* OpenSSL. node.js requires a version number in this text. */
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2 (compatible; BoringSSL)"
#define SSLEAY_VERSION 0

37
include/openssl/ec.h
View File

@ -81,14 +81,24 @@ extern "C" {
typedef struct ec_group_st EC_GROUP;
typedef struct ec_point_st EC_POINT;
/** Enum for the point conversion form as defined in X9.62 (ECDSA)
* for the encoding of a elliptic curve point (x,y) */
/* point_conversion_form_t enumerates forms, as defined in X9.62 (ECDSA), for
* the encoding of a elliptic curve point (x,y) */
typedef enum {
/** the point is encoded as z||x, where the octet z specifies
* which solution of the quadratic equation y is */
POINT_CONVERSION_COMPRESSED = 2,
/** the point is encoded as z||x||y, where z is the octet 0x04 */
POINT_CONVERSION_UNCOMPRESSED = 4
/* POINT_CONVERSION_COMPRESSED indicates that the point is encoded as z||x,
* where the octet z specifies which solution of the quadratic equation y
* is. */
POINT_CONVERSION_COMPRESSED = 2,
/* POINT_CONVERSION_COMPRESSED indicates that the point is encoded as
* z||x||y, where z is the octet 0x04. */
POINT_CONVERSION_UNCOMPRESSED = 4,
/* POINT_CONVERSION_HYBRID indicates that the point is encoded as z||x||y,
* where z specifies which solution of the quadratic equation y is. This is
* not supported by the code and has never been observed in use.
*
* TODO(agl): remove once node.js no longer references this. */
POINT_CONVERSION_HYBRID = 6,
} point_conversion_form_t;
@ -306,6 +316,19 @@ OPENSSL_EXPORT int EC_METHOD_get_field_type(const EC_METHOD *meth);
OPENSSL_EXPORT void EC_GROUP_set_point_conversion_form(
EC_GROUP *group, point_conversion_form_t form);
/* EC_builtin_curve describes a supported elliptic curve. */
typedef struct {
int nid;
const char *comment;
} EC_builtin_curve;
/* EC_get_builtin_curves writes at most |max_num_curves| elements to
* |out_curves| and returns the total number that it would have written, had
* |max_num_curves| been large enough.
*
* The |EC_builtin_curve| items describe the supported elliptic curves. */
OPENSSL_EXPORT size_t EC_get_builtin_curves(EC_builtin_curve *out_curves,
size_t max_num_curves);
/* Old code expects to get EC_KEY from ec.h. */
#include <openssl/ec_key.h>

38
include/openssl/evp.h
View File

@ -511,6 +511,34 @@ OPENSSL_EXPORT int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out,
size_t *out_len, const uint8_t *in,
size_t in_len);
/* EVP_PKEY_verify_recover_init initialises an |EVP_PKEY_CTX| for a public-key
* decryption operation. It should be called before |EVP_PKEY_verify_recover|.
*
* Public-key decryption is a very obscure operation that is only implemented
* by RSA keys. It is effectively a signature verification operation that
* returns the signed message directly. It is almost certainly not what you
* want.
*
* It returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
/* EVP_PKEY_verify_recover decrypts |sig_len| bytes from |sig|. If |out| is
* NULL, the maximum size of the plaintext is written to |out_len|. Otherwise,
* |*out_len| must contain the number of bytes of space available at |out|. If
* sufficient, the ciphertext will be written to |out| and |*out_len| updated
* with the true length.
*
* WARNING: Setting |out| to NULL only gives the maximum size of the
* plaintext. The actual plaintext may be smaller.
*
* See the warning about this operation in |EVP_PKEY_verify_recover_init|. It
* is probably not what you want.
*
* It returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out,
size_t *out_len, const uint8_t *sig,
size_t siglen);
/* EVP_PKEY_derive_init initialises an |EVP_PKEY_CTX| for a key derivation
* operation. It should be called before |EVP_PKEY_derive_set_peer| and
* |EVP_PKEY_derive|.
@ -659,6 +687,16 @@ OPENSSL_EXPORT void OpenSSL_add_all_digests(void);
/* EVP_cleanup does nothing. */
OPENSSL_EXPORT void EVP_cleanup(void);
OPENSSL_EXPORT void EVP_CIPHER_do_all_sorted(
void (*callback)(const EVP_CIPHER *cipher, const char *name,
const char *unused, void *arg),
void *arg);
OPENSSL_EXPORT void EVP_MD_do_all_sorted(void (*callback)(const EVP_MD *cipher,
const char *name,
const char *unused,
void *arg),
void *arg);
/* Private functions */

34
include/openssl/ssl.h
View File

@ -2704,15 +2704,17 @@ OPENSSL_EXPORT void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list);
/* SSL_CTX_set_max_send_fragment sets the maximum length, in bytes, of records
* sent by |ctx|. Beyond this length, handshake messages and application data
* will be split into multiple records. */
OPENSSL_EXPORT void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx,
size_t max_send_fragment);
* will be split into multiple records. It returns one on success or zero on
* error. */
OPENSSL_EXPORT int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx,
size_t max_send_fragment);
/* SSL_set_max_send_fragment sets the maximum length, in bytes, of records
* sent by |ssl|. Beyond this length, handshake messages and application data
* will be split into multiple records. */
OPENSSL_EXPORT void SSL_set_max_send_fragment(SSL *ssl,
size_t max_send_fragment);
/* SSL_set_max_send_fragment sets the maximum length, in bytes, of records sent
* by |ssl|. Beyond this length, handshake messages and application data will
* be split into multiple records. It returns one on success or zero on
* error. */
OPENSSL_EXPORT int SSL_set_max_send_fragment(SSL *ssl,
size_t max_send_fragment);
/* ssl_early_callback_ctx is passed to certain callbacks that are called very
* early on during the server handshake. At this point, much of the SSL* hasn't
@ -3732,6 +3734,11 @@ struct ssl_ctx_st {
* means that we'll accept Channel IDs from clients. For a client, means that
* we'll advertise support. */
unsigned tlsext_channel_id_enabled:1;
/* extra_certs is a dummy value included for compatibility.
* TODO(agl): remove once node.js no longer references this. */
STACK_OF(X509)* extra_certs;
int freelist_max_len;
};
struct ssl_st {
@ -3914,6 +3921,9 @@ struct ssl_st {
* means that we'll accept Channel IDs from clients. For a client, means that
* we'll advertise support. */
unsigned tlsext_channel_id_enabled:1;
/* TODO(agl): remove once node.js not longer references this. */
int tlsext_status_type;
};
typedef struct ssl3_record_st {
@ -4179,6 +4189,14 @@ OPENSSL_EXPORT int SSL_set_session_ticket_ext_cb(SSL *s, void *cb, void *arg);
OPENSSL_EXPORT int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
/* Nodejs compatibility section (hidden).
*
* These defines exist for node.js, with the hope that we can eliminate the
* need for them over time. */
#define SSLerr(function, reason) \
ERR_put_error(ERR_LIB_SSL, 0, reason, __FILE__, __LINE__)
/* Preprocessor compatibility section (hidden).
*
* Historically, a number of APIs were implemented in OpenSSL as macros and

8
ssl/ssl_lib.c
View File

@ -1180,7 +1180,7 @@ void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) {
ssl->max_cert_list = (uint32_t)max_cert_list;
}
void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {
int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {
if (max_send_fragment < 512) {
max_send_fragment = 512;
}
@ -1188,9 +1188,11 @@ void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {
max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
}
ctx->max_send_fragment = (uint16_t)max_send_fragment;
return 1;
}
void SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
int SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
if (max_send_fragment < 512) {
max_send_fragment = 512;
}
@ -1198,6 +1200,8 @@ void SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
}
ssl->max_send_fragment = (uint16_t)max_send_fragment;
return 1;
}
int SSL_set_mtu(SSL *ssl, unsigned mtu) {

2
ssl/t1_lib.c
View File

@ -1144,6 +1144,7 @@ static int ext_sigalgs_add_serverhello(SSL *ssl, CBB *out) {
static void ext_ocsp_init(SSL *ssl) {
ssl->s3->tmp.certificate_status_expected = 0;
ssl->tlsext_status_type = -1;
}
static int ext_ocsp_add_clienthello(SSL *ssl, CBB *out) {
@ -1161,6 +1162,7 @@ static int ext_ocsp_add_clienthello(SSL *ssl, CBB *out) {
return 0;
}
ssl->tlsext_status_type = TLSEXT_STATUSTYPE_ocsp;
return 1;
}