diff options
| author | Matt Caswell <matt@openssl.org> | 2020-09-02 16:15:06 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2020-09-13 11:09:45 +0100 |
| commit | 6ac1cd10ba8a1d92d3858e53a7aea2cf444adf26 (patch) | |
| tree | 9b2ccdb7ea5335deb20cfb4d98ee23b8ae10e299 | |
| parent | 08073700cc50bcd0df5c0ee68c100e300a320d03 (diff) | |
Fix safestack issues in ssl.h
We fix 3 problems with safestack:
- Including an openssl header file without linking against libcrypto
can cause compilation failures (even if the app does not otherwise need
to link against libcrypto). See issue #8102
- Recent changes means that applications in no-deprecated builds will need
to include additional macro calls in the source code for all stacks that
they need to use - which is an API break. This changes avoids that
necessity.
- It is not possible to write code using stacks that works in both a
no-deprecated and a normal build of OpenSSL. See issue #12707.
Fixes #12707
Contains a partial fix for #8102. A similar PR will be needed for hash to
fully fix.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | apps/ciphers.c | 2 | ||||
| -rw-r--r-- | apps/s_server.c | 1 | ||||
| -rw-r--r-- | build.info | 2 | ||||
| -rw-r--r-- | fuzz/client.c | 2 | ||||
| -rw-r--r-- | fuzz/server.c | 2 | ||||
| -rw-r--r-- | include/openssl/ssl.h.in (renamed from include/openssl/ssl.h) | 16 | ||||
| -rw-r--r-- | ssl/d1_srtp.c | 2 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 1 | ||||
| -rw-r--r-- | ssl/ssl_ciph.c | 3 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 2 | ||||
| -rw-r--r-- | ssl/statem/extensions_clnt.c | 2 | ||||
| -rw-r--r-- | ssl/statem/extensions_srvr.c | 1 | ||||
| -rw-r--r-- | ssl/statem/statem_clnt.c | 2 | ||||
| -rw-r--r-- | ssl/statem/statem_lib.c | 1 | ||||
| -rw-r--r-- | ssl/statem/statem_srvr.c | 2 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 1 | ||||
| -rw-r--r-- | test/cipherbytes_test.c | 2 | ||||
| -rw-r--r-- | test/cipherlist_test.c | 2 | ||||
| -rw-r--r-- | test/ciphername_test.c | 2 | ||||
| -rw-r--r-- | test/dtls_mtu_test.c | 2 | ||||
| -rw-r--r-- | test/sslcorrupttest.c | 2 | ||||
| -rw-r--r-- | test/ssltest_old.c | 1 | ||||
| -rw-r--r-- | util/perl/OpenSSL/stackhash.pm | 92 |
24 files changed, 108 insertions, 38 deletions
diff --git a/.gitignore b/.gitignore index ecbc524829..498d3aeffa 100644 --- a/.gitignore +++ b/.gitignore @@ -25,6 +25,7 @@ /include/openssl/configuration.h /include/openssl/opensslv.h /include/openssl/fipskey.h +/include/openssl/ssl.h # Auto generated doc files doc/man1/openssl-*.pod diff --git a/apps/ciphers.c b/apps/ciphers.c index 380091f16f..500b416046 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -15,8 +15,6 @@ #include <openssl/err.h> #include <openssl/ssl.h> -DEFINE_STACK_OF_CONST(SSL_CIPHER) - typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_STDNAME, diff --git a/apps/s_server.c b/apps/s_server.c index 4c2e5b27f7..f1ea550fed 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -63,7 +63,6 @@ typedef unsigned int u_int; DEFINE_STACK_OF(X509_EXTENSION) DEFINE_STACK_OF(X509_CRL) DEFINE_STACK_OF(X509) -DEFINE_STACK_OF(SSL_CIPHER) DEFINE_STACK_OF_STRING() static int not_resumable_sess_cb(SSL *s, int is_forward_secure); diff --git a/build.info b/build.info index 1c6787c800..c1933bf73c 100644 --- a/build.info +++ b/build.info @@ -15,12 +15,14 @@ DEPEND[libssl]=libcrypto # unconditionally before anything else. DEPEND[]=include/openssl/configuration.h include/openssl/opensslv.h \ include/openssl/fipskey.h \ + include/openssl/ssl.h \ include/crypto/bn_conf.h include/crypto/dso_conf.h \ doc/man7/openssl_user_macros.pod GENERATE[include/openssl/configuration.h]=include/openssl/configuration.h.in GENERATE[include/openssl/opensslv.h]=include/openssl/opensslv.h.in GENERATE[include/openssl/fipskey.h]=include/openssl/fipskey.h.in +GENERATE[include/openssl/ssl.h]=include/openssl/ssl.h.in GENERATE[include/crypto/bn_conf.h]=include/crypto/bn_conf.h.in GENERATE[include/crypto/dso_conf.h]=include/crypto/dso_conf.h.in GENERATE[doc/man7/openssl_user_macros.pod]=doc/man7/openssl_user_macros.pod.in diff --git a/fuzz/client.c b/fuzz/client.c index 01bd70a49f..2c2cd90fb8 100644 --- a/fuzz/client.c +++ b/fuzz/client.c @@ -20,8 +20,6 @@ #include "rand.inc" -DEFINE_STACK_OF(SSL_COMP) - /* unused, to avoid warning. */ static int idx; diff --git a/fuzz/server.c b/fuzz/server.c index f00029b0a9..8123c90994 100644 --- a/fuzz/server.c +++ b/fuzz/server.c @@ -24,8 +24,6 @@ #include "rand.inc" -DEFINE_STACK_OF(SSL_COMP) - static const uint8_t kCertificateDER[] = { 0x30, 0x82, 0x02, 0xff, 0x30, 0x82, 0x01, 0xe7, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x11, 0x00, 0xb1, 0x84, 0xee, 0x34, 0x99, 0x98, 0x76, 0xfb, diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h.in index 0b17f22193..264b7eddb7 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h.in @@ -1,4 +1,6 @@ /* + * {- join("\n * ", @autowarntext) -} + * * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. @@ -9,6 +11,10 @@ * https://www.openssl.org/source/license.html */ +{- +use OpenSSL::stackhash qw(generate_stack_macros generate_const_stack_macros); +-} + #ifndef OPENSSL_SSL_H # define OPENSSL_SSL_H # pragma once @@ -240,7 +246,9 @@ typedef struct srtp_protection_profile_st { const char *name; unsigned long id; } SRTP_PROTECTION_PROFILE; -DEFINE_OR_DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE) +{- + generate_stack_macros("SRTP_PROTECTION_PROFILE"); +-} typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, @@ -980,8 +988,10 @@ extern "C" { * These need to be after the above set of includes due to a compiler bug * in VisualStudio 2015 */ -DEFINE_OR_DECLARE_STACK_OF(SSL_CIPHER) -DEFINE_OR_DECLARE_STACK_OF(SSL_COMP) +{- + generate_const_stack_macros("SSL_CIPHER") + .generate_stack_macros("SSL_COMP"); +-} /* compatibility */ # define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)(arg))) diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index 66c1b54eeb..87fb4a243d 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -19,8 +19,6 @@ #ifndef OPENSSL_NO_SRTP -DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE) - static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { { "SRTP_AES128_CM_SHA1_80", diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 8f5aaaf942..c49f2118ca 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -22,7 +22,6 @@ DEFINE_STACK_OF(X509_NAME) DEFINE_STACK_OF(X509) -DEFINE_STACK_OF_CONST(SSL_CIPHER) #define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers) #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 64d773acbd..05add36d47 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -25,9 +25,6 @@ #include "internal/thread_once.h" #include "internal/cryptlib.h" -DEFINE_STACK_OF(SSL_COMP) -DEFINE_STACK_OF_CONST(SSL_CIPHER) - /* NB: make sure indices in these tables match values above */ typedef struct { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a036ac29e9..139fd628af 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -30,10 +30,8 @@ DEFINE_STACK_OF(X509) DEFINE_STACK_OF(X509_NAME) -DEFINE_STACK_OF_CONST(SSL_CIPHER) DEFINE_STACK_OF(X509_EXTENSION) DEFINE_STACK_OF(OCSP_RESPID) -DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE) DEFINE_STACK_OF(SCT) static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t, diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index abff069ec9..f8ae0612e3 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -12,8 +12,6 @@ #include "internal/cryptlib.h" #include "statem_local.h" -DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE) -DEFINE_STACK_OF_CONST(SSL_CIPHER) DEFINE_STACK_OF(OCSP_RESPID) EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index b5cd34b646..c686d00f0e 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -12,7 +12,6 @@ #include "statem_local.h" #include "internal/cryptlib.h" -DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE) DEFINE_STACK_OF(OCSP_RESPID) DEFINE_STACK_OF(X509_EXTENSION) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 0780e5fc9a..f8a3d25c08 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -29,8 +29,6 @@ #include <internal/cryptlib.h> DEFINE_STACK_OF(X509) -DEFINE_STACK_OF(SSL_COMP) -DEFINE_STACK_OF_CONST(SSL_CIPHER) static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt); static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt); diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index e0ff00d1b8..79195b2aa2 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -23,7 +23,6 @@ DEFINE_STACK_OF(X509) DEFINE_STACK_OF(X509_NAME) -DEFINE_STACK_OF_CONST(SSL_CIPHER) /* * Map error codes to TLS/SSL alart types. diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index c46254c858..f42e7865eb 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -27,8 +27,6 @@ #include <openssl/asn1t.h> DEFINE_STACK_OF(X509) -DEFINE_STACK_OF(SSL_COMP) -DEFINE_STACK_OF_CONST(SSL_CIPHER) #define TICKET_NONCE_SIZE 8 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index bf955bf3ec..702622487f 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -28,7 +28,6 @@ #include "ssl_local.h" #include <openssl/ct.h> -DEFINE_STACK_OF_CONST(SSL_CIPHER) DEFINE_STACK_OF(X509) DEFINE_STACK_OF(X509_NAME) diff --git a/test/cipherbytes_test.c b/test/cipherbytes_test.c index cbbfff2a41..ed4eacbdf3 100644 --- a/test/cipherbytes_test.c +++ b/test/cipherbytes_test.c @@ -21,8 +21,6 @@ #include "internal/nelem.h" #include "testutil.h" -DEFINE_STACK_OF(SSL_CIPHER) - static SSL_CTX *ctx; static SSL *s; diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c index 0f337b4054..380f0727fc 100644 --- a/test/cipherlist_test.c +++ b/test/cipherlist_test.c @@ -21,8 +21,6 @@ #include "internal/nelem.h" #include "testutil.h" -DEFINE_STACK_OF_CONST(SSL_CIPHER) - typedef struct cipherlist_test_fixture { const char *test_case_name; SSL_CTX *server; diff --git a/test/ciphername_test.c b/test/ciphername_test.c index c82a164827..c4ec6cadd7 100644 --- a/test/ciphername_test.c +++ b/test/ciphername_test.c @@ -22,8 +22,6 @@ #include "internal/nelem.h" #include "testutil.h" -DEFINE_STACK_OF(SSL_CIPHER) - typedef struct cipher_id_name { int id; const char *name; diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c index b0730077b7..588ca32c79 100644 --- a/test/dtls_mtu_test.c +++ b/test/dtls_mtu_test.c @@ -20,8 +20,6 @@ /* for SSL_READ_ETM() */ #include "../ssl/ssl_local.h" -DEFINE_STACK_OF(SSL_CIPHER) - static int debug = 0; static unsigned int clnt_psk_callback(SSL *ssl, const char *hint, diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c index 641ecf331d..ca9e8bfd73 100644 --- a/test/sslcorrupttest.c +++ b/test/sslcorrupttest.c @@ -11,8 +11,6 @@ #include "ssltestlib.h" #include "testutil.h" -DEFINE_STACK_OF(SSL_CIPHER) - static int docorrupt = 0; static void copy_flags(BIO *bio) diff --git a/test/ssltest_old.c b/test/ssltest_old.c index 4f340fc2e0..88aef5e896 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -81,7 +81,6 @@ # include <unistd.h> #endif -DEFINE_STACK_OF(SSL_COMP) DEFINE_STACK_OF_STRING() static SSL_CTX *s_ctx = NULL; diff --git a/util/perl/OpenSSL/stackhash.pm b/util/perl/OpenSSL/stackhash.pm new file mode 100644 index 0000000000..d8ca76aa91 --- /dev/null +++ b/util/perl/OpenSSL/stackhash.pm @@ -0,0 +1,92 @@ +#! /usr/bin/env perl +# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +package OpenSSL::stackhash; + +use strict; +use warnings; + +require Exporter; +our @ISA = qw(Exporter); +our @EXPORT_OK = qw(generate_stack_macros generate_const_stack_macros); + +sub generate_stack_macros_int { + my $nametype = shift; + my $realtype = shift; + my $plaintype = shift; + + my $macros = <<END_MACROS; +STACK_OF(${nametype}); +typedef int (*sk_${nametype}_compfunc)(const ${plaintype} * const *a, const ${plaintype} *const *b); +typedef void (*sk_${nametype}_freefunc)(${plaintype} *a); +typedef ${plaintype} * (*sk_${nametype}_copyfunc)(const ${plaintype} *a); +static ossl_unused ossl_inline ${realtype} *ossl_check_${nametype}_type(${realtype} *ptr) +{ + return ptr; +} +static ossl_unused ossl_inline const OPENSSL_STACK *ossl_check_const_${nametype}_sk_type(const STACK_OF(${nametype}) *sk) +{ + return (const OPENSSL_STACK *)sk; +} +static ossl_unused ossl_inline OPENSSL_STACK *ossl_check_${nametype}_sk_type(STACK_OF(${nametype}) *sk) +{ + return (OPENSSL_STACK *)sk; +} +static ossl_unused ossl_inline OPENSSL_sk_compfunc ossl_check_${nametype}_compfunc_type(sk_${nametype}_compfunc cmp) +{ + return (OPENSSL_sk_compfunc)cmp; +} +static ossl_unused ossl_inline OPENSSL_sk_copyfunc ossl_check_${nametype}_copyfunc_type(sk_${nametype}_copyfunc cpy) +{ + return (OPENSSL_sk_copyfunc)cpy; +} +static ossl_unused ossl_inline OPENSSL_sk_freefunc ossl_check_${nametype}_freefunc_type(sk_${nametype}_freefunc fr) +{ + return (OPENSSL_sk_freefunc)fr; +} +#define sk_${nametype}_num(sk) OPENSSL_sk_num(ossl_check_const_${nametype}_sk_type(sk)) +#define sk_${nametype}_value(sk, idx) ((${realtype} *)OPENSSL_sk_value(ossl_check_const_${nametype}_sk_type(sk), (idx))) +#define sk_${nametype}_new(cmp) ((STACK_OF(${nametype}) *)OPENSSL_sk_new(ossl_check_${nametype}_compfunc_type(cmp))) +#define sk_${nametype}_new_null() ((STACK_OF(${nametype}) *)OPENSSL_sk_new_null()) +#define sk_${nametype}_new_reserve(cmp, n) ((STACK_OF(${nametype}) *)OPENSSL_sk_new_reserve(ossl_check_${nametype}_compfunc_type(cmp), (n))) +#define sk_${nametype}_reserve(sk, n) OPENSSL_sk_reserve(ossl_check_${nametype}_sk_type(sk), (n)) +#define sk_${nametype}_free(sk) OPENSSL_sk_free(ossl_check_${nametype}_sk_type(sk)) +#define sk_${nametype}_zero(sk) OPENSSL_sk_zero(ossl_check_${nametype}_sk_type(sk)) +#define sk_${nametype}_delete(sk, i) ((${realtype} *)OPENSSL_sk_delete(ossl_check_${nametype}_sk_type(sk), (i))) +#define sk_${nametype}_delete_ptr(sk, ptr) ((${realtype} *)OPENSSL_sk_delete_ptr(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr))) +#define sk_${nametype}_push(sk, ptr) OPENSSL_sk_push(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr)) +#define sk_${nametype}_unshift(sk, ptr) OPENSSL_sk_unshift(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr)) +#define sk_${nametype}_pop(sk) ((${realtype} *)OPENSSL_sk_pop(ossl_check_${nametype}_sk_type(sk))) +#define sk_${nametype}_shift(sk) ((${realtype} *)OPENSSL_sk_shift(ossl_check_${nametype}_sk_type(sk))) +#define sk_${nametype}_pop_free(sk, freefunc) OPENSSL_sk_pop_free(ossl_check_${nametype}_sk_type(sk),ossl_check_${nametype}_freefunc_type(freefunc)) +#define sk_${nametype}_insert(sk, ptr, idx) OPENSSL_sk_insert(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr), (idx)) +#define sk_${nametype}_set(sk, idx, ptr) ((${realtype} *)OPENSSL_sk_set(ossl_check_${nametype}_sk_type(sk), (idx), ossl_check_${nametype}_type(ptr))) +#define sk_${nametype}_find(sk, ptr) OPENSSL_sk_find(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr)) +#define sk_${nametype}_find_ex(sk, ptr) OPENSSL_sk_find_ex(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr)) +#define sk_${nametype}_sort(sk) OPENSSL_sk_sort(ossl_check_${nametype}_sk_type(sk)) +#define sk_${nametype}_is_sorted(sk) OPENSSL_sk_is_sorted(ossl_check_const_${nametype}_sk_type(sk)) +#define sk_${nametype}_dup(sk) ((STACK_OF(${nametype}) *)OPENSSL_sk_dup(ossl_check_const_${nametype}_sk_type(sk))) +#define sk_${nametype}_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(${nametype}) *)OPENSSL_sk_deep_copy(ossl_check_const_${nametype}_sk_type(sk), ossl_check_${nametype}_copyfunc_type(copyfunc), ossl_check_${nametype}_freefunc_type(freefunc))) +#define sk_${nametype}_set_cmp_func(sk, cmp) ((sk_${nametype}_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_compfunc_type(cmp))) +END_MACROS + + return $macros; +} + +sub generate_stack_macros { + my $type = shift; + + return generate_stack_macros_int($type, $type, $type); +} + +sub generate_const_stack_macros { + my $type = shift; + + return generate_stack_macros_int($type, "const $type", $type); +} +1; |