diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c index 64fb856a3b..7e049bb303 100644 --- a/crypto/conf/conf.c +++ b/crypto/conf/conf.c @@ -642,6 +642,10 @@ int CONF_modules_load_file(const char *filename, const char *appname, return 1; } +char *CONF_get1_default_config_file(void) { + return OPENSSL_strdup("No support for Config files in AWS-LC."); +} + void CONF_modules_free(void) {} void CONF_modules_unload(int all) {} diff --git a/crypto/conf/conf_test.cc b/crypto/conf/conf_test.cc index 9b3e00533b..92e52db5f9 100644 --- a/crypto/conf/conf_test.cc +++ b/crypto/conf/conf_test.cc @@ -401,3 +401,8 @@ TEST(ConfTest, ParseList) { EXPECT_EQ(result, t.expected); } } + +TEST(ConfTest, NoopString) { + bssl::UniquePtr string(CONF_get1_default_config_file()); + EXPECT_STREQ("No support for Config files in AWS-LC.", string.get()); +} diff --git a/crypto/pkcs8/pkcs12_test.cc b/crypto/pkcs8/pkcs12_test.cc index e23851ea9f..bb15f87cf9 100644 --- a/crypto/pkcs8/pkcs12_test.cc +++ b/crypto/pkcs8/pkcs12_test.cc @@ -674,3 +674,9 @@ TEST(PKCS12Test, CreateWithAlias) { ASSERT_EQ(alias, std::string(reinterpret_cast(parsed_alias), static_cast(alias_len))); } + +TEST(PKCS12Test, BasicAlloc) { + // Test direct allocation of |PKCS12_new| and |PKCS12_free|. + bssl::UniquePtr p12(PKCS12_new()); + ASSERT_TRUE(p12); +} diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c index c613bf121e..86148739c6 100644 --- a/crypto/pkcs8/pkcs8_x509.c +++ b/crypto/pkcs8/pkcs8_x509.c @@ -741,7 +741,7 @@ struct pkcs12_st { PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) { - PKCS12 *p12 = OPENSSL_malloc(sizeof(PKCS12)); + PKCS12 *p12 = PKCS12_new(); if (!p12) { return NULL; } @@ -1328,7 +1328,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, goto err; } - ret = OPENSSL_malloc(sizeof(PKCS12)); + ret = PKCS12_new(); if (ret == NULL || !CBB_finish(&cbb, &ret->ber_bytes, &ret->ber_len)) { OPENSSL_free(ret); @@ -1342,6 +1342,10 @@ PKCS12 *PKCS12_create(const char *password, const char *name, return ret; } +PKCS12 *PKCS12_new(void) { + return OPENSSL_zalloc(sizeof(PKCS12)); +} + void PKCS12_free(PKCS12 *p12) { if (p12 == NULL) { return; diff --git a/docs/porting/configuration-differences.md b/docs/porting/configuration-differences.md index 618d370942..c73f721e8e 100644 --- a/docs/porting/configuration-differences.md +++ b/docs/porting/configuration-differences.md @@ -144,7 +144,7 @@ The following table contains the differences in libssl configuration options AWS - +

@@ -188,6 +188,21 @@ The following table contains the differences in libssl configuration options AWS

NO-OP

+ + +

+ + SSL_OP_CRYPTOPRO_TLSEXT_BUG + +

+ + +

OFF

+ + +

NO-OP

+ +

@@ -280,6 +295,36 @@ The following table contains the differences in libssl configuration options AWS

NO-OP

+ + + +

+ + SSL_OP_SAFARI_ECDHE_ECDSA_BUG + +

+ + +

ON

+ + +

NO-OP

+ + + + +

+ + SSL_OP_TLSEXT_PADDING + +

+ + +

ON

+ + +

NO-OP

+ diff --git a/docs/porting/functionality-differences.md b/docs/porting/functionality-differences.md index 6798e0b709..01161d7523 100644 --- a/docs/porting/functionality-differences.md +++ b/docs/porting/functionality-differences.md @@ -480,10 +480,10 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi - +

CONF modules

- +

@@ -498,6 +498,14 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

Returns one.

+ + + +

CONF_get1_default_config_file

+ + +

Returns a fixed dummy string("No support for Config files in AWS-LC.")

+ diff --git a/include/openssl/conf.h b/include/openssl/conf.h index 2a829ae9e2..cd6c615703 100644 --- a/include/openssl/conf.h +++ b/include/openssl/conf.h @@ -142,6 +142,10 @@ OPENSSL_EXPORT const char *NCONF_get_string(const CONF *conf, OPENSSL_EXPORT OPENSSL_DEPRECATED int CONF_modules_load_file( const char *filename, const char *appname, unsigned long flags); +// CONF_get1_default_config_file returns a fixed dummy string. AWS-LC is defined +// to have no config file options. +OPENSSL_EXPORT OPENSSL_DEPRECATED char *CONF_get1_default_config_file(void); + // CONF_modules_free does nothing. OPENSSL_EXPORT OPENSSL_DEPRECATED void CONF_modules_free(void); diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h index 8774681e8b..e93724135b 100644 --- a/include/openssl/pkcs8.h +++ b/include/openssl/pkcs8.h @@ -232,6 +232,9 @@ OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name, int cert_nid, int iterations, int mac_iterations, int key_type); +// PKCS12_new returns a newly-allocated |PKCS12| object. +OPENSSL_EXPORT PKCS12 *PKCS12_new(void); + // PKCS12_free frees |p12| and its contents. OPENSSL_EXPORT void PKCS12_free(PKCS12 *p12); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 2a4b6587c2..eccdf28a96 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -5618,6 +5618,14 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // unpatched clients and servers and is intentionally not supported in AWS-LC. #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0 +// SSL_OP_CRYPTOPRO_TLSEXT_BUG is OFF by default in AWS-LC. Turning this ON in +// OpenSSL lets the server add a server-hello extension from early version of +// the cryptopro draft, when the GOST ciphersuite is negotiated. Required for +// interoperability with CryptoPro CSP 3.x. +// +// Note: AWS-LC does not support GOST ciphersuites. +#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0 + // SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is ON by default in AWS-LC. This // disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability // affecting CBC ciphers, which cannot be handled by some broken SSL @@ -5642,7 +5650,7 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // This always starts a new session when performing renegotiation as a server // (i.e., session resumption requests are only accepted in the initial // handshake). -// There is no support for renegototiation for a server in AWS-LC +// There is no support for renegototiation for a server in AWS-LC. #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 // SSL_OP_NO_SSLv2 is ON by default in AWS-LC. There is no support for SSLv2 in @@ -5653,6 +5661,18 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // AWS-LC #define SSL_OP_NO_SSLv3 0 +// SSL_OP_SAFARI_ECDHE_ECDSA_BUG is OFF by default in AWS-LC. Turning this ON in +// OpenSSL lets the application not prefer ECDHE-ECDSA ciphers when the client +// appears to be Safari on OSX. +// +// Note: OS X 10.8..10.8.3 broke support for ECDHE-ECDSA ciphers. +#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0 + +// SSL_OP_TLSEXT_PADDING is OFF by default in AWS-LC. Turning this ON in OpenSSL +// adds a padding extension to ensure the ClientHello size is never between 256 +// and 511 bytes in length. This is needed as a workaround for F5 terminators. +#define SSL_OP_TLSEXT_PADDING 0 + // SSL_OP_TLS_ROLLBACK_BUG is OFF by default in AWS-LC. Turning this ON in // OpenSSL disables version rollback attack detection and is intentionally not // supported in AWS-LC.