From 8075b54c2259eda55073911333c65a07bd62c5e2 Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Fri, 14 Jun 2024 12:07:46 -0700 Subject: [PATCH 1/3] align gcc version with curl's CI (#1633) Curl's tip of main is failing against a compiler warning specific to gcc-12 at the moment with `-Werror` enabled. This is causing errors in our integration CI. We enable the flag since Curl's CI enables it, but they run against gcc-11 for their CI at the moment. I've submitted an issue to curl to fix it (https://github.com/curl/curl/issues/13932), but we should use gcc-11 for our Curl CI to avoid with curl's main branch that are out of our control. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. --- tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml index 075c1eb183..5f7ecf92f5 100644 --- a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml +++ b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml @@ -147,7 +147,7 @@ batch: type: LINUX_CONTAINER privileged-mode: false compute-type: BUILD_GENERAL1_MEDIUM - image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_latest + image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-11x_latest variables: AWS_LC_CI_TARGET: "tests/ci/integration/run_curl_integration.sh" @@ -157,7 +157,7 @@ batch: type: ARM_CONTAINER privileged-mode: false compute-type: BUILD_GENERAL1_LARGE - image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-aarch:ubuntu-22.04_gcc-12x_latest + image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-aarch:ubuntu-22.04_gcc-11x_latest variables: AWS_LC_CI_TARGET: "tests/ci/integration/run_curl_integration.sh" From e7e64f8d41ae94da136966e3011f73961798a14f Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Fri, 14 Jun 2024 12:08:32 -0700 Subject: [PATCH 2/3] Add support for NETSCAPE_SPKI_print (#1624) Ruby consumes NETSCAPE_SPKI_print for debugging purposes. This adds support for the symbol for easier integration. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. --- crypto/x509/x509_test.cc | 40 +++++++++++++++++++++++++++++++++++ crypto/x509/x509spki.c | 45 ++++++++++++++++++++++++++++++++++++++++ include/openssl/x509.h | 3 +++ 3 files changed, 88 insertions(+) diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc index 9498c9aa3a..d92d1a1ac7 100644 --- a/crypto/x509/x509_test.cc +++ b/crypto/x509/x509_test.cc @@ -7583,3 +7583,43 @@ TEST(X509Test, PublicKeyCache) { key2.reset(X509_PUBKEY_get(pub)); EXPECT_FALSE(key2); } + +TEST(X509Test, SPKIPrint) { + bssl::UniquePtr bio(BIO_new(BIO_s_mem())); + ASSERT_TRUE(bio); + bssl::UniquePtr spki(NETSCAPE_SPKI_new()); + ASSERT_TRUE(spki); + + bssl::UniquePtr key = PrivateKeyFromPEM(kP256Key); + EXPECT_TRUE(NETSCAPE_SPKI_set_pubkey(spki.get(), key.get())); + EXPECT_TRUE(NETSCAPE_SPKI_sign(spki.get(), key.get(), EVP_sha256())); + + std::string challenge = "challenge string"; + ASSERT_TRUE(ASN1_STRING_set(spki.get()->spkac->challenge, challenge.data(), + challenge.size())); + + EXPECT_TRUE(NETSCAPE_SPKI_print(bio.get(), spki.get())); + + // The contents of the signature is printed last but it's randomized, + // so we only check the expected output before that. + static const char expected_certificate_string[] = R"(Netscape SPKI: + Public Key Algorithm: id-ecPublicKey + Public-Key: (P-256) + pub: + 04:e6:2b:69:e2:bf:65:9f:97:be:2f:1e:0d:94:8a: + 4c:d5:97:6b:b7:a9:1e:0d:46:fb:dd:a9:a9:1e:9d: + dc:ba:5a:01:e7:d6:97:a8:0a:18:f9:c3:c4:a3:1e: + 56:e2:7c:83:48:db:16:1a:1c:f5:1d:7e:f1:94:2d: + 4b:cf:72:22:c1 + Challenge String: challenge string + Signature Algorithm: ecdsa-with-SHA256 + )"; + + const uint8_t *data; + size_t data_len; + ASSERT_TRUE(BIO_mem_contents(bio.get(), &data, &data_len)); + ASSERT_GT(data_len, strlen(expected_certificate_string)); + std::string print(reinterpret_cast(data), + strlen(expected_certificate_string)); + EXPECT_EQ(print, expected_certificate_string); +} diff --git a/crypto/x509/x509spki.c b/crypto/x509/x509spki.c index 611a05f443..65021712e5 100644 --- a/crypto/x509/x509spki.c +++ b/crypto/x509/x509spki.c @@ -60,6 +60,7 @@ #include #include #include +#include "internal.h" int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey) { if ((x == NULL) || (x->spkac == NULL)) { @@ -131,3 +132,47 @@ char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki) { OPENSSL_free(der_spki); return b64_str; } + +int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki) { + if (out == NULL || spki == NULL || spki->spkac == NULL || + spki->spkac->pubkey == NULL || spki->sig_algor == NULL || + spki->sig_algor->algorithm == NULL || spki->signature == NULL || + spki->signature->data == NULL) { + OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + BIO_printf(out, "Netscape SPKI:\n"); + + // Print out public key algorithm and contents. + ASN1_OBJECT *spkioid; + X509_PUBKEY_get0_param(&spkioid, NULL, NULL, NULL, spki->spkac->pubkey); + int spkioid_nid = OBJ_obj2nid(spkioid); + BIO_printf(out, " Public Key Algorithm: %s\n", + (spkioid_nid == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(spkioid_nid)); + EVP_PKEY *pkey = X509_PUBKEY_get0(spki->spkac->pubkey); + if (pkey == NULL) { + BIO_printf(out, " Unable to load public key\n"); + } else { + EVP_PKEY_print_public(out, pkey, 4, NULL); + } + + ASN1_IA5STRING *chal = spki->spkac->challenge; + if (chal != NULL && chal->length != 0) { + BIO_printf(out, " Challenge String: %.*s\n", chal->length, chal->data); + } + + // Print out signature algorithm and contents. + BIO_printf(out, " Signature Algorithm: %s", + (OBJ_obj2nid(spki->sig_algor->algorithm) == NID_undef) + ? "UNKNOWN" + : OBJ_nid2ln(OBJ_obj2nid(spki->sig_algor->algorithm))); + for (int i = 0; i < spki->signature->length; i++) { + if ((i % 18) == 0) { + BIO_printf(out, "\n "); + } + BIO_printf(out, "%02x%s", (unsigned char)spki->signature->data[i], + ((i + 1) == spki->signature->length) ? "" : ":"); + } + BIO_write(out, "\n", 1); + return 1; +} diff --git a/include/openssl/x509.h b/include/openssl/x509.h index accb45c8b3..a27c6bc39d 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -2345,6 +2345,9 @@ OPENSSL_EXPORT NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **out, OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac, uint8_t **outp); +// NETSCAPE_SPKI_print prints out the contents of |spki| to |out|. +OPENSSL_EXPORT int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki); + // RSASSA-PSS Parameters. // From 98735a2f6723ba984a18b2f79e05173a61e0f869 Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Fri, 14 Jun 2024 15:33:22 -0700 Subject: [PATCH 3/3] More minor symbols for Ruby support (#1581) This implements two minor symbols and a few no-op flags for Ruby support. New symbols: * PKCS12_new * CONF_get1_default_config_file No-op flags: * SSL_OP_CRYPTOPRO_TLSEXT_BUG * SSL_OP_SAFARI_ECDHE_ECDSA_BUG * SSL_OP_TLSEXT_PADDING ### Call-outs: All of these no-ops are following a precedent in AWS-LC. We may have to have a discussion on whether to support CONF modules further down the line, but exposing this as a no-op for now. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. --- crypto/conf/conf.c | 4 ++ crypto/conf/conf_test.cc | 5 +++ crypto/pkcs8/pkcs12_test.cc | 6 +++ crypto/pkcs8/pkcs8_x509.c | 8 +++- docs/porting/configuration-differences.md | 47 ++++++++++++++++++++++- docs/porting/functionality-differences.md | 12 +++++- include/openssl/conf.h | 4 ++ include/openssl/pkcs8.h | 3 ++ include/openssl/ssl.h | 22 ++++++++++- 9 files changed, 105 insertions(+), 6 deletions(-) diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c index 64fb856a3b..7e049bb303 100644 --- a/crypto/conf/conf.c +++ b/crypto/conf/conf.c @@ -642,6 +642,10 @@ int CONF_modules_load_file(const char *filename, const char *appname, return 1; } +char *CONF_get1_default_config_file(void) { + return OPENSSL_strdup("No support for Config files in AWS-LC."); +} + void CONF_modules_free(void) {} void CONF_modules_unload(int all) {} diff --git a/crypto/conf/conf_test.cc b/crypto/conf/conf_test.cc index 9b3e00533b..92e52db5f9 100644 --- a/crypto/conf/conf_test.cc +++ b/crypto/conf/conf_test.cc @@ -401,3 +401,8 @@ TEST(ConfTest, ParseList) { EXPECT_EQ(result, t.expected); } } + +TEST(ConfTest, NoopString) { + bssl::UniquePtr string(CONF_get1_default_config_file()); + EXPECT_STREQ("No support for Config files in AWS-LC.", string.get()); +} diff --git a/crypto/pkcs8/pkcs12_test.cc b/crypto/pkcs8/pkcs12_test.cc index e23851ea9f..bb15f87cf9 100644 --- a/crypto/pkcs8/pkcs12_test.cc +++ b/crypto/pkcs8/pkcs12_test.cc @@ -674,3 +674,9 @@ TEST(PKCS12Test, CreateWithAlias) { ASSERT_EQ(alias, std::string(reinterpret_cast(parsed_alias), static_cast(alias_len))); } + +TEST(PKCS12Test, BasicAlloc) { + // Test direct allocation of |PKCS12_new| and |PKCS12_free|. + bssl::UniquePtr p12(PKCS12_new()); + ASSERT_TRUE(p12); +} diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c index c613bf121e..86148739c6 100644 --- a/crypto/pkcs8/pkcs8_x509.c +++ b/crypto/pkcs8/pkcs8_x509.c @@ -741,7 +741,7 @@ struct pkcs12_st { PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) { - PKCS12 *p12 = OPENSSL_malloc(sizeof(PKCS12)); + PKCS12 *p12 = PKCS12_new(); if (!p12) { return NULL; } @@ -1328,7 +1328,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, goto err; } - ret = OPENSSL_malloc(sizeof(PKCS12)); + ret = PKCS12_new(); if (ret == NULL || !CBB_finish(&cbb, &ret->ber_bytes, &ret->ber_len)) { OPENSSL_free(ret); @@ -1342,6 +1342,10 @@ PKCS12 *PKCS12_create(const char *password, const char *name, return ret; } +PKCS12 *PKCS12_new(void) { + return OPENSSL_zalloc(sizeof(PKCS12)); +} + void PKCS12_free(PKCS12 *p12) { if (p12 == NULL) { return; diff --git a/docs/porting/configuration-differences.md b/docs/porting/configuration-differences.md index 618d370942..c73f721e8e 100644 --- a/docs/porting/configuration-differences.md +++ b/docs/porting/configuration-differences.md @@ -144,7 +144,7 @@ The following table contains the differences in libssl configuration options AWS - +

@@ -188,6 +188,21 @@ The following table contains the differences in libssl configuration options AWS

NO-OP

+ + +

+ + SSL_OP_CRYPTOPRO_TLSEXT_BUG + +

+ + +

OFF

+ + +

NO-OP

+ +

@@ -280,6 +295,36 @@ The following table contains the differences in libssl configuration options AWS

NO-OP

+ + + +

+ + SSL_OP_SAFARI_ECDHE_ECDSA_BUG + +

+ + +

ON

+ + +

NO-OP

+ + + + +

+ + SSL_OP_TLSEXT_PADDING + +

+ + +

ON

+ + +

NO-OP

+ diff --git a/docs/porting/functionality-differences.md b/docs/porting/functionality-differences.md index 6798e0b709..01161d7523 100644 --- a/docs/porting/functionality-differences.md +++ b/docs/porting/functionality-differences.md @@ -480,10 +480,10 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi - +

CONF modules

- +

@@ -498,6 +498,14 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi

Returns one.

+ + + +

CONF_get1_default_config_file

+ + +

Returns a fixed dummy string("No support for Config files in AWS-LC.")

+ diff --git a/include/openssl/conf.h b/include/openssl/conf.h index 2a829ae9e2..cd6c615703 100644 --- a/include/openssl/conf.h +++ b/include/openssl/conf.h @@ -142,6 +142,10 @@ OPENSSL_EXPORT const char *NCONF_get_string(const CONF *conf, OPENSSL_EXPORT OPENSSL_DEPRECATED int CONF_modules_load_file( const char *filename, const char *appname, unsigned long flags); +// CONF_get1_default_config_file returns a fixed dummy string. AWS-LC is defined +// to have no config file options. +OPENSSL_EXPORT OPENSSL_DEPRECATED char *CONF_get1_default_config_file(void); + // CONF_modules_free does nothing. OPENSSL_EXPORT OPENSSL_DEPRECATED void CONF_modules_free(void); diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h index 8774681e8b..e93724135b 100644 --- a/include/openssl/pkcs8.h +++ b/include/openssl/pkcs8.h @@ -232,6 +232,9 @@ OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name, int cert_nid, int iterations, int mac_iterations, int key_type); +// PKCS12_new returns a newly-allocated |PKCS12| object. +OPENSSL_EXPORT PKCS12 *PKCS12_new(void); + // PKCS12_free frees |p12| and its contents. OPENSSL_EXPORT void PKCS12_free(PKCS12 *p12); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 2a4b6587c2..eccdf28a96 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -5618,6 +5618,14 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // unpatched clients and servers and is intentionally not supported in AWS-LC. #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0 +// SSL_OP_CRYPTOPRO_TLSEXT_BUG is OFF by default in AWS-LC. Turning this ON in +// OpenSSL lets the server add a server-hello extension from early version of +// the cryptopro draft, when the GOST ciphersuite is negotiated. Required for +// interoperability with CryptoPro CSP 3.x. +// +// Note: AWS-LC does not support GOST ciphersuites. +#define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0 + // SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is ON by default in AWS-LC. This // disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability // affecting CBC ciphers, which cannot be handled by some broken SSL @@ -5642,7 +5650,7 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // This always starts a new session when performing renegotiation as a server // (i.e., session resumption requests are only accepted in the initial // handshake). -// There is no support for renegototiation for a server in AWS-LC +// There is no support for renegototiation for a server in AWS-LC. #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 // SSL_OP_NO_SSLv2 is ON by default in AWS-LC. There is no support for SSLv2 in @@ -5653,6 +5661,18 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // AWS-LC #define SSL_OP_NO_SSLv3 0 +// SSL_OP_SAFARI_ECDHE_ECDSA_BUG is OFF by default in AWS-LC. Turning this ON in +// OpenSSL lets the application not prefer ECDHE-ECDSA ciphers when the client +// appears to be Safari on OSX. +// +// Note: OS X 10.8..10.8.3 broke support for ECDHE-ECDSA ciphers. +#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0 + +// SSL_OP_TLSEXT_PADDING is OFF by default in AWS-LC. Turning this ON in OpenSSL +// adds a padding extension to ensure the ClientHello size is never between 256 +// and 511 bytes in length. This is needed as a workaround for F5 terminators. +#define SSL_OP_TLSEXT_PADDING 0 + // SSL_OP_TLS_ROLLBACK_BUG is OFF by default in AWS-LC. Turning this ON in // OpenSSL disables version rollback attack detection and is intentionally not // supported in AWS-LC.