Browse Source

Fix safestack issues in ssl.h

We fix 3 problems with safestack:
- Including an openssl header file without linking against libcrypto
  can cause compilation failures (even if the app does not otherwise need
  to link against libcrypto). See issue #8102
- Recent changes means that applications in no-deprecated builds will need
  to include additional macro calls in the source code for all stacks that
  they need to use - which is an API break. This changes avoids that
  necessity.
- It is not possible to write code using stacks that works in both a
  no-deprecated and a normal build of OpenSSL. See issue #12707.

Fixes #12707
Contains a partial fix for #8102. A similar PR will be needed for hash to
fully fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
master
Matt Caswell 1 year ago
parent
commit
6ac1cd10ba
24 changed files with 108 additions and 38 deletions
  1. +1
    -0
      .gitignore
  2. +0
    -2
      apps/ciphers.c
  3. +0
    -1
      apps/s_server.c
  4. +2
    -0
      build.info
  5. +0
    -2
      fuzz/client.c
  6. +0
    -2
      fuzz/server.c
  7. +13
    -3
      include/openssl/ssl.h.in
  8. +0
    -2
      ssl/d1_srtp.c
  9. +0
    -1
      ssl/s3_lib.c
  10. +0
    -3
      ssl/ssl_ciph.c
  11. +0
    -2
      ssl/ssl_lib.c
  12. +0
    -2
      ssl/statem/extensions_clnt.c
  13. +0
    -1
      ssl/statem/extensions_srvr.c
  14. +0
    -2
      ssl/statem/statem_clnt.c
  15. +0
    -1
      ssl/statem/statem_lib.c
  16. +0
    -2
      ssl/statem/statem_srvr.c
  17. +0
    -1
      ssl/t1_lib.c
  18. +0
    -2
      test/cipherbytes_test.c
  19. +0
    -2
      test/cipherlist_test.c
  20. +0
    -2
      test/ciphername_test.c
  21. +0
    -2
      test/dtls_mtu_test.c
  22. +0
    -2
      test/sslcorrupttest.c
  23. +0
    -1
      test/ssltest_old.c
  24. +92
    -0
      util/perl/OpenSSL/stackhash.pm

+ 1
- 0
.gitignore View File

@ -25,6 +25,7 @@
/include/openssl/configuration.h
/include/openssl/opensslv.h
/include/openssl/fipskey.h
/include/openssl/ssl.h
# Auto generated doc files
doc/man1/openssl-*.pod


+ 0
- 2
apps/ciphers.c View File

@ -15,8 +15,6 @@
#include <openssl/err.h>
#include <openssl/ssl.h>
DEFINE_STACK_OF_CONST(SSL_CIPHER)
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_STDNAME,


+ 0
- 1
apps/s_server.c View File

@ -63,7 +63,6 @@ typedef unsigned int u_int;
DEFINE_STACK_OF(X509_EXTENSION)
DEFINE_STACK_OF(X509_CRL)
DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(SSL_CIPHER)
DEFINE_STACK_OF_STRING()
static int not_resumable_sess_cb(SSL *s, int is_forward_secure);


+ 2
- 0
build.info View File

@ -15,12 +15,14 @@ DEPEND[libssl]=libcrypto
# unconditionally before anything else.
DEPEND[]=include/openssl/configuration.h include/openssl/opensslv.h \
include/openssl/fipskey.h \
include/openssl/ssl.h \
include/crypto/bn_conf.h include/crypto/dso_conf.h \
doc/man7/openssl_user_macros.pod
GENERATE[include/openssl/configuration.h]=include/openssl/configuration.h.in
GENERATE[include/openssl/opensslv.h]=include/openssl/opensslv.h.in
GENERATE[include/openssl/fipskey.h]=include/openssl/fipskey.h.in
GENERATE[include/openssl/ssl.h]=include/openssl/ssl.h.in
GENERATE[include/crypto/bn_conf.h]=include/crypto/bn_conf.h.in
GENERATE[include/crypto/dso_conf.h]=include/crypto/dso_conf.h.in
GENERATE[doc/man7/openssl_user_macros.pod]=doc/man7/openssl_user_macros.pod.in


+ 0
- 2
fuzz/client.c View File

@ -20,8 +20,6 @@
#include "rand.inc"
DEFINE_STACK_OF(SSL_COMP)
/* unused, to avoid warning. */
static int idx;


+ 0
- 2
fuzz/server.c View File

@ -24,8 +24,6 @@
#include "rand.inc"
DEFINE_STACK_OF(SSL_COMP)
static const uint8_t kCertificateDER[] = {
0x30, 0x82, 0x02, 0xff, 0x30, 0x82, 0x01, 0xe7, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x11, 0x00, 0xb1, 0x84, 0xee, 0x34, 0x99, 0x98, 0x76, 0xfb,


include/openssl/ssl.h → include/openssl/ssl.h.in View File


+ 0
- 2
ssl/d1_srtp.c View File

@ -19,8 +19,6 @@
#ifndef OPENSSL_NO_SRTP
DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = {
{
"SRTP_AES128_CM_SHA1_80",


+ 0
- 1
ssl/s3_lib.c View File

@ -22,7 +22,6 @@
DEFINE_STACK_OF(X509_NAME)
DEFINE_STACK_OF(X509)
DEFINE_STACK_OF_CONST(SSL_CIPHER)
#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers)
#define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers)


+ 0
- 3
ssl/ssl_ciph.c View File

@ -25,9 +25,6 @@
#include "internal/thread_once.h"
#include "internal/cryptlib.h"
DEFINE_STACK_OF(SSL_COMP)
DEFINE_STACK_OF_CONST(SSL_CIPHER)
/* NB: make sure indices in these tables match values above */
typedef struct {


+ 0
- 2
ssl/ssl_lib.c View File

@ -30,10 +30,8 @@
DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(X509_NAME)
DEFINE_STACK_OF_CONST(SSL_CIPHER)
DEFINE_STACK_OF(X509_EXTENSION)
DEFINE_STACK_OF(OCSP_RESPID)
DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
DEFINE_STACK_OF(SCT)
static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t,


+ 0
- 2
ssl/statem/extensions_clnt.c View File

@ -12,8 +12,6 @@
#include "internal/cryptlib.h"
#include "statem_local.h"
DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
DEFINE_STACK_OF_CONST(SSL_CIPHER)
DEFINE_STACK_OF(OCSP_RESPID)
EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,


+ 0
- 1
ssl/statem/extensions_srvr.c View File

@ -12,7 +12,6 @@
#include "statem_local.h"
#include "internal/cryptlib.h"
DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
DEFINE_STACK_OF(OCSP_RESPID)
DEFINE_STACK_OF(X509_EXTENSION)


+ 0
- 2
ssl/statem/statem_clnt.c View File

@ -29,8 +29,6 @@
#include <internal/cryptlib.h>
DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(SSL_COMP)
DEFINE_STACK_OF_CONST(SSL_CIPHER)
static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);


+ 0
- 1
ssl/statem/statem_lib.c View File

@ -23,7 +23,6 @@
DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(X509_NAME)
DEFINE_STACK_OF_CONST(SSL_CIPHER)
/*
* Map error codes to TLS/SSL alart types.


+ 0
- 2
ssl/statem/statem_srvr.c View File

@ -27,8 +27,6 @@
#include <openssl/asn1t.h>
DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(SSL_COMP)
DEFINE_STACK_OF_CONST(SSL_CIPHER)
#define TICKET_NONCE_SIZE 8


+ 0
- 1
ssl/t1_lib.c View File

@ -28,7 +28,6 @@
#include "ssl_local.h"
#include <openssl/ct.h>
DEFINE_STACK_OF_CONST(SSL_CIPHER)
DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(X509_NAME)


+ 0
- 2
test/cipherbytes_test.c View File

@ -21,8 +21,6 @@
#include "internal/nelem.h"
#include "testutil.h"
DEFINE_STACK_OF(SSL_CIPHER)
static SSL_CTX *ctx;
static SSL *s;


+ 0
- 2
test/cipherlist_test.c View File

@ -21,8 +21,6 @@
#include "internal/nelem.h"
#include "testutil.h"
DEFINE_STACK_OF_CONST(SSL_CIPHER)
typedef struct cipherlist_test_fixture {
const char *test_case_name;
SSL_CTX *server;


+ 0
- 2
test/ciphername_test.c View File

@ -22,8 +22,6 @@
#include "internal/nelem.h"
#include "testutil.h"
DEFINE_STACK_OF(SSL_CIPHER)
typedef struct cipher_id_name {
int id;
const char *name;


+ 0
- 2
test/dtls_mtu_test.c View File

@ -20,8 +20,6 @@
/* for SSL_READ_ETM() */
#include "../ssl/ssl_local.h"
DEFINE_STACK_OF(SSL_CIPHER)
static int debug = 0;
static unsigned int clnt_psk_callback(SSL *ssl, const char *hint,


+ 0
- 2
test/sslcorrupttest.c View File

@ -11,8 +11,6 @@
#include "ssltestlib.h"
#include "testutil.h"
DEFINE_STACK_OF(SSL_CIPHER)
static int docorrupt = 0;
static void copy_flags(BIO *bio)


+ 0
- 1
test/ssltest_old.c View File

@ -81,7 +81,6 @@
# include <unistd.h>
#endif
DEFINE_STACK_OF(SSL_COMP)
DEFINE_STACK_OF_STRING()
static SSL_CTX *s_ctx = NULL;


+ 92
- 0
util/perl/OpenSSL/stackhash.pm View File

@ -0,0 +1,92 @@
#! /usr/bin/env perl
# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
package OpenSSL::stackhash;
use strict;
use warnings;
require Exporter;
our @ISA = qw(Exporter);
our @EXPORT_OK = qw(generate_stack_macros generate_const_stack_macros);
sub generate_stack_macros_int {
my $nametype = shift;
my $realtype = shift;
my $plaintype = shift;
my $macros = <<END_MACROS;
STACK_OF(${nametype});
typedef int (*sk_${nametype}_compfunc)(const ${plaintype} * const *a, const ${plaintype} *const *b);
typedef void (*sk_${nametype}_freefunc)(${plaintype} *a);
typedef ${plaintype} * (*sk_${nametype}_copyfunc)(const ${plaintype} *a);
static ossl_unused ossl_inline ${realtype} *ossl_check_${nametype}_type(${realtype} *ptr)
{
return ptr;
}
static ossl_unused ossl_inline const OPENSSL_STACK *ossl_check_const_${nametype}_sk_type(const STACK_OF(${nametype}) *sk)
{
return (const OPENSSL_STACK *)sk;
}
static ossl_unused ossl_inline OPENSSL_STACK *ossl_check_${nametype}_sk_type(STACK_OF(${nametype}) *sk)
{
return (OPENSSL_STACK *)sk;
}
static ossl_unused ossl_inline OPENSSL_sk_compfunc ossl_check_${nametype}_compfunc_type(sk_${nametype}_compfunc cmp)
{
return (OPENSSL_sk_compfunc)cmp;
}
static ossl_unused ossl_inline OPENSSL_sk_copyfunc ossl_check_${nametype}_copyfunc_type(sk_${nametype}_copyfunc cpy)
{
return (OPENSSL_sk_copyfunc)cpy;
}
static ossl_unused ossl_inline OPENSSL_sk_freefunc ossl_check_${nametype}_freefunc_type(sk_${nametype}_freefunc fr)
{
return (OPENSSL_sk_freefunc)fr;
}
#define sk_${nametype}_num(sk) OPENSSL_sk_num(ossl_check_const_${nametype}_sk_type(sk))
#define sk_${nametype}_value(sk, idx) ((${realtype} *)OPENSSL_sk_value(ossl_check_const_${nametype}_sk_type(sk), (idx)))
#define sk_${nametype}_new(cmp) ((STACK_OF(${nametype}) *)OPENSSL_sk_new(ossl_check_${nametype}_compfunc_type(cmp)))
#define sk_${nametype}_new_null() ((STACK_OF(${nametype}) *)OPENSSL_sk_new_null())
#define sk_${nametype}_new_reserve(cmp, n) ((STACK_OF(${nametype}) *)OPENSSL_sk_new_reserve(ossl_check_${nametype}_compfunc_type(cmp), (n)))
#define sk_${nametype}_reserve(sk, n) OPENSSL_sk_reserve(ossl_check_${nametype}_sk_type(sk), (n))
#define sk_${nametype}_free(sk) OPENSSL_sk_free(ossl_check_${nametype}_sk_type(sk))
#define sk_${nametype}_zero(sk) OPENSSL_sk_zero(ossl_check_${nametype}_sk_type(sk))
#define sk_${nametype}_delete(sk, i) ((${realtype} *)OPENSSL_sk_delete(ossl_check_${nametype}_sk_type(sk), (i)))
#define sk_${nametype}_delete_ptr(sk, ptr) ((${realtype} *)OPENSSL_sk_delete_ptr(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr)))
#define sk_${nametype}_push(sk, ptr) OPENSSL_sk_push(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr))
#define sk_${nametype}_unshift(sk, ptr) OPENSSL_sk_unshift(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr))
#define sk_${nametype}_pop(sk) ((${realtype} *)OPENSSL_sk_pop(ossl_check_${nametype}_sk_type(sk)))
#define sk_${nametype}_shift(sk) ((${realtype} *)OPENSSL_sk_shift(ossl_check_${nametype}_sk_type(sk)))
#define sk_${nametype}_pop_free(sk, freefunc) OPENSSL_sk_pop_free(ossl_check_${nametype}_sk_type(sk),ossl_check_${nametype}_freefunc_type(freefunc))
#define sk_${nametype}_insert(sk, ptr, idx) OPENSSL_sk_insert(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr), (idx))
#define sk_${nametype}_set(sk, idx, ptr) ((${realtype} *)OPENSSL_sk_set(ossl_check_${nametype}_sk_type(sk), (idx), ossl_check_${nametype}_type(ptr)))
#define sk_${nametype}_find(sk, ptr) OPENSSL_sk_find(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr))
#define sk_${nametype}_find_ex(sk, ptr) OPENSSL_sk_find_ex(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr))
#define sk_${nametype}_sort(sk) OPENSSL_sk_sort(ossl_check_${nametype}_sk_type(sk))
#define sk_${nametype}_is_sorted(sk) OPENSSL_sk_is_sorted(ossl_check_const_${nametype}_sk_type(sk))
#define sk_${nametype}_dup(sk) ((STACK_OF(${nametype}) *)OPENSSL_sk_dup(ossl_check_const_${nametype}_sk_type(sk)))
#define sk_${nametype}_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(${nametype}) *)OPENSSL_sk_deep_copy(ossl_check_const_${nametype}_sk_type(sk), ossl_check_${nametype}_copyfunc_type(copyfunc), ossl_check_${nametype}_freefunc_type(freefunc)))
#define sk_${nametype}_set_cmp_func(sk, cmp) ((sk_${nametype}_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_compfunc_type(cmp)))
END_MACROS
return $macros;
}
sub generate_stack_macros {
my $type = shift;
return generate_stack_macros_int($type, $type, $type);
}
sub generate_const_stack_macros {
my $type = shift;
return generate_stack_macros_int($type, "const $type", $type);
}
1;

Loading…
Cancel
Save