diff --git a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509.cs b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509.cs index bc7b41d96e1361..975940df1cf7c8 100644 --- a/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509.cs +++ b/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509.cs @@ -343,14 +343,6 @@ internal enum X509VerifyStatusCodeUniversal X509_V_ERR_EMAIL_MISMATCH = 63, X509_V_ERR_IP_ADDRESS_MISMATCH = 64, } - internal enum X509VerifyStatusCode102 - { - X509_V_ERR_INVALID_CA = 24, - - X509_V_ERR_INVALID_CALL = 65, - X509_V_ERR_STORE_LOOKUP = 66, - X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION = 67, - } internal enum X509VerifyStatusCode111 { @@ -421,7 +413,6 @@ internal X509VerifyStatusCode(int code) } public X509VerifyStatusCodeUniversal UniversalCode => (X509VerifyStatusCodeUniversal)Code; - public X509VerifyStatusCode102 Code102 => (X509VerifyStatusCode102)Code; public X509VerifyStatusCode111 Code111 => (X509VerifyStatusCode111)Code; public X509VerifyStatusCode30 Code30 => (X509VerifyStatusCode30)Code; diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs index b0118c9c60c98c..79f8ca38842e1c 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs @@ -1172,18 +1172,6 @@ private static X509ChainStatusFlags MapOpenSsl30Code(Interop.Crypto.X509VerifySt } } - private static X509ChainStatusFlags MapOpenSsl102Code(Interop.Crypto.X509VerifyStatusCode code) - { - switch (code.Code102) - { - case Interop.Crypto.X509VerifyStatusCode102.X509_V_ERR_INVALID_CA: - return X509ChainStatusFlags.InvalidBasicConstraints; - default: - Debug.Fail("Unrecognized X509VerifyStatusCode:" + code.Code102); - throw GetUnmappedCodeException(nameof(MapOpenSsl102Code), (int)code.Code102); - } - } - private static X509ChainStatusFlags MapOpenSsl111Code(Interop.Crypto.X509VerifyStatusCode code) { switch (code.Code111) @@ -1417,7 +1405,7 @@ private static MapVersionSpecificCode GetVersionLookup() return MapOpenSsl111Code; } - return MapOpenSsl102Code; + throw new CryptographicException(); } private static CryptographicException GetUnmappedCodeException(string functionName, int code) diff --git a/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt b/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt index e17ebfaea36556..26886f4a2fdc88 100644 --- a/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt +++ b/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt @@ -23,7 +23,6 @@ append_extra_cryptography_libs(NATIVE_LIBS_EXTRA) include_directories(${OPENSSL_INCLUDE_DIR}) set(NATIVECRYPTO_SOURCES - apibridge.c apibridge_30.c memory_debug.c openssl.c diff --git a/src/native/libs/System.Security.Cryptography.Native/apibridge.c b/src/native/libs/System.Security.Cryptography.Native/apibridge.c deleted file mode 100644 index bf1eb9d9ecb96b..00000000000000 --- a/src/native/libs/System.Security.Cryptography.Native/apibridge.c +++ /dev/null @@ -1,950 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. - -#include "opensslshim.h" -#include "pal_crypto_types.h" -#include "pal_types.h" - -#include "../Common/pal_safecrt.h" -#include - -#ifdef NEED_OPENSSL_1_0 - -#include "apibridge.h" - -// Minimally define the structs from 1.0.x which went opaque in 1.1.0 for the -// portable build building against the 1.1.x headers -#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_1_1_0_RTM -#include "openssl_1_0_structs.h" - -#define CRYPTO_LOCK_X509 3 -#define CRYPTO_LOCK_EVP_PKEY 10 -#define CRYPTO_LOCK_BIO 21 - -#define SSL_CTRL_GET_SESSION_REUSED 8 -#define SSL_CTRL_OPTIONS 32 - -#define SSL_ST_OK 3 -#endif - -c_static_assert(X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS == 4); - -const ASN1_TIME* local_X509_get0_notBefore(const X509* x509) -{ - if (x509 && x509->cert_info && x509->cert_info->validity) - { - return x509->cert_info->validity->notBefore; - } - - return NULL; -} - -const ASN1_TIME* local_X509_get0_notAfter(const X509* x509) -{ - if (x509 && x509->cert_info && x509->cert_info->validity) - { - return x509->cert_info->validity->notAfter; - } - - return NULL; -} - -int local_X509_set1_notBefore(X509* x509, const ASN1_TIME* time) -{ - if (x509 && x509->cert_info && x509->cert_info->validity) - { - if (time != x509->cert_info->validity->notBefore) - { - if (x509->cert_info->validity->notBefore) - { - ASN1_TIME_free(x509->cert_info->validity->notBefore); - } - - x509->cert_info->validity->notBefore = ASN1_STRING_dup(time); - } - - return x509->cert_info->validity->notBefore != NULL; - } - - return 0; -} - -int local_X509_set1_notAfter(X509* x509, const ASN1_TIME* time) -{ - if (x509 && x509->cert_info && x509->cert_info->validity) - { - if (time != x509->cert_info->validity->notAfter) - { - if (x509->cert_info->validity->notAfter) - { - ASN1_TIME_free(x509->cert_info->validity->notAfter); - } - - x509->cert_info->validity->notAfter = ASN1_STRING_dup(time); - } - - return x509->cert_info->validity->notAfter != NULL; - } - - return 0; -} - -const ASN1_TIME* local_X509_CRL_get0_nextUpdate(const X509_CRL* crl) -{ - if (crl && crl->crl) - { - return crl->crl->nextUpdate; - } - - return NULL; -} - -int32_t local_X509_get_version(const X509* x509) -{ - if (x509 && x509->cert_info) - { - long ver = ASN1_INTEGER_get(x509->cert_info->version); - return (int32_t)ver; - } - - return -1; -} - -X509_PUBKEY* local_X509_get_X509_PUBKEY(const X509* x509) -{ - if (x509 && x509->cert_info) - { - return x509->cert_info->key; - } - - return NULL; -} - -int32_t local_X509_PUBKEY_get0_param( - ASN1_OBJECT** palgOid, const uint8_t** pkeyBytes, int* pkeyBytesLen, X509_ALGOR** palg, X509_PUBKEY* pubkey) -{ - if (!pubkey) - { - return 0; - } - - if (palgOid) - { - if (!pubkey->algor) - { - return 0; - } - - *palgOid = pubkey->algor->algorithm; - } - - if (pkeyBytes) - { - if (!pubkey->public_key) - { - return 0; - } - - *pkeyBytes = pubkey->public_key->data; - *pkeyBytesLen = pubkey->public_key->length; - } - - if (palg) - { - *palg = pubkey->algor; - } - - return 1; -} - -const X509_ALGOR* local_X509_get0_tbs_sigalg(const X509* x509) -{ - if (x509 && x509->cert_info) - { - return x509->cert_info->signature; - } - - return NULL; -} - -ASN1_BIT_STRING* local_X509_get0_pubkey_bitstr(const X509* x509) -{ - if (x509 && x509->cert_info && x509->cert_info->key) - { - return x509->cert_info->key->public_key; - } - - return NULL; -} - -int32_t local_X509_NAME_get0_der(X509_NAME* x509Name, const uint8_t** pder, size_t* pderlen) -{ - if (!x509Name || !x509Name->bytes) - { - return 0; - } - - if (pder) - { - *pder = (unsigned char*)x509Name->bytes->data; - } - - if (pderlen) - { - *pderlen = x509Name->bytes->length; - } - - return 1; -} - -long local_OpenSSL_version_num(void) -{ - return (long)SSLeay(); -} - -const DSA_METHOD* local_DSA_get_method(const DSA* dsa) -{ - if (dsa) - { - return dsa->meth; - } - - return NULL; -} - -void local_DSA_get0_pqg(const DSA* dsa, const BIGNUM** p, const BIGNUM** q, const BIGNUM** g) -{ - if (!dsa) - { - return; - } - - if (p) - { - *p = dsa->p; - } - - if (q) - { - *q = dsa->q; - } - - if (g) - { - *g = dsa->g; - } -} - -const BIGNUM* local_DSA_get0_key(const DSA* dsa, const BIGNUM** pubKey, const BIGNUM** privKey) -{ - if (dsa) - { - if (pubKey) - { - *pubKey = dsa->pub_key; - } - - if (privKey) - { - *privKey = dsa->priv_key; - } - } - - return NULL; -} - -int32_t local_DSA_set0_pqg(DSA* dsa, BIGNUM* bnP, BIGNUM* bnQ, BIGNUM* bnG) -{ - if (!dsa) - { - return 0; - } - - if ((dsa->p == NULL && bnP == NULL) || (dsa->q == NULL && bnQ == NULL) || (dsa->g == NULL && bnG == NULL)) - { - return 0; - } - - if (bnP) - { - BN_free(dsa->p); - dsa->p = bnP; - } - - if (bnQ) - { - BN_free(dsa->q); - dsa->q = bnQ; - } - - if (bnG) - { - BN_free(dsa->g); - dsa->g = bnG; - } - - return 1; -} - -int32_t local_DSA_set0_key(DSA* dsa, BIGNUM* bnY, BIGNUM* bnX) -{ - if (!dsa) - { - return 0; - } - - if (dsa->pub_key == NULL && bnY == NULL) - { - return 0; - } - - if (bnY) - { - BN_free(dsa->pub_key); - dsa->pub_key = bnY; - } - - if (bnX) - { - BN_free(dsa->priv_key); - dsa->priv_key = bnX; - } - - return 1; -} - -RSA* local_EVP_PKEY_get0_RSA(EVP_PKEY* pkey) -{ - if (pkey == NULL) - { - return NULL; - } - - RSA* rsa = EVP_PKEY_get1_RSA(pkey); - - if (rsa != NULL) - { - RSA_free(rsa); - } - - return rsa; -} - -int32_t local_EVP_PKEY_up_ref(EVP_PKEY* pkey) -{ - if (!pkey) - { - return 0; - } - - return CRYPTO_add_lock(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY, __FILE__, __LINE__) > 1; -} - -EVP_CIPHER_CTX* local_EVP_CIPHER_CTX_new(void) -{ - EVP_CIPHER_CTX* ctx = (EVP_CIPHER_CTX*)calloc(1, sizeof(EVP_CIPHER_CTX)); - return ctx; -} - -int32_t local_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX* ctx) -{ - if (ctx) - { - int ret = EVP_CIPHER_CTX_cleanup(ctx); - EVP_CIPHER_CTX_init(ctx); - return ret; - } - - // OpenSSL 1.1 returns success 1 on a NULL input - return 1; -} - -void local_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX* ctx) -{ - if (ctx) - { - local_EVP_CIPHER_CTX_reset(ctx); - free(ctx); - } -} - -HMAC_CTX* local_HMAC_CTX_new(void) -{ - HMAC_CTX* ctx = (HMAC_CTX*)calloc(1, sizeof(HMAC_CTX)); - - if (ctx) - { - HMAC_CTX_init(ctx); - } - - return ctx; -} - -void local_HMAC_CTX_free(HMAC_CTX* ctx) -{ - if (ctx != NULL) - { - HMAC_CTX_cleanup(ctx); - free(ctx); - } -} - -int32_t local_RSA_meth_get_flags(const RSA_METHOD* meth) -{ - if (meth) - { - return meth->flags; - } - - return 0; -} - -void local_RSA_get0_key(const RSA* rsa, const BIGNUM** n, const BIGNUM** e, const BIGNUM** d) -{ - if (rsa) - { - if (n) - { - *n = rsa->n; - } - - if (e) - { - *e = rsa->e; - } - - if (d) - { - *d = rsa->d; - } - } -} - -void local_RSA_get0_factors(const RSA* rsa, const BIGNUM** p, const BIGNUM** q) -{ - if (rsa) - { - if (p) - { - *p = rsa->p; - } - - if (q) - { - *q = rsa->q; - } - } -} - -void local_RSA_get0_crt_params(const RSA* rsa, const BIGNUM** dmp1, const BIGNUM** dmq1, const BIGNUM** iqmp) -{ - if (rsa) - { - if (dmp1) - { - *dmp1 = rsa->dmp1; - } - - if (dmq1) - { - *dmq1 = rsa->dmq1; - } - - if (iqmp) - { - *iqmp = rsa->iqmp; - } - } -} - -int local_RSA_get_multi_prime_extra_count(const RSA* rsa) -{ - (void)rsa; - // OpenSSL before 1.1 does not support multi-prime RSA, so it implicitly - // has zero extra primes. - return 0; -} - -int32_t local_RSA_set0_key(RSA* rsa, BIGNUM* n, BIGNUM* e, BIGNUM* d) -{ - if (rsa == NULL) - { - return 0; - } - - if ((rsa->n == NULL && n == NULL) || (rsa->e == NULL && e == NULL)) - { - return 0; - } - - if (n != NULL) - { - BN_free(rsa->n); - rsa->n = n; - } - - if (e != NULL) - { - BN_free(rsa->e); - rsa->e = e; - } - - if (d != NULL) - { - BN_free(rsa->d); - rsa->d = d; - } - - return 1; -} - -int32_t local_RSA_set0_factors(RSA* rsa, BIGNUM* p, BIGNUM* q) -{ - if (rsa == NULL) - { - return 0; - } - - if ((rsa->p == NULL && p == NULL) || (rsa->q == NULL && q == NULL)) - { - return 0; - } - - if (p != NULL) - { - BN_free(rsa->p); - rsa->p = p; - } - - if (q != NULL) - { - BN_free(rsa->q); - rsa->q = q; - } - - return 1; -} - -int32_t local_RSA_set0_crt_params(RSA* rsa, BIGNUM* dmp1, BIGNUM* dmq1, BIGNUM* iqmp) -{ - if (rsa == NULL) - { - return 0; - } - - if ((rsa->dmp1 == NULL && dmp1 == NULL) || (rsa->dmq1 == NULL && dmq1 == NULL) || - (rsa->iqmp == NULL && iqmp == NULL)) - { - return 0; - } - - if (dmp1 != NULL) - { - BN_free(rsa->dmp1); - rsa->dmp1 = dmp1; - } - - if (dmq1 != NULL) - { - BN_free(rsa->dmq1); - rsa->dmq1 = dmq1; - } - - if (iqmp != NULL) - { - BN_free(rsa->iqmp); - rsa->iqmp = iqmp; - } - - return 1; -} - -int32_t local_SSL_CTX_config(SSL_CTX* ctx, const char* name) -{ - (void)ctx; - (void)name; - - // 1.0.x didn't load config in the same manner as 1.1.x, - // so the appropriate answer is "section not found". - return 0; -} - -int32_t local_SSL_is_init_finished(const SSL* ssl) -{ - return SSL_state(ssl) == SSL_ST_OK; -} - -/* -Function: -CheckX509HostnameMatch - -Checks if a particular ASN1_STRING represents the entry in a certificate which would match against -the requested hostname. - -Parameter sanRules: 0 for match rules against the subject CN, 1 for match rules against a SAN entry - -Return values: -1 if the hostname is a match -0 if the hostname is not a match -Any negative number indicates an error in the arguments. -*/ -static int CheckX509HostnameMatch(ASN1_STRING* candidate, const char* hostname, int cchHostname, int typeMatch) -{ - assert(candidate != NULL); - assert(hostname != NULL); - - if (!candidate->data || !candidate->length) - { - return 0; - } - - // If the candidate is *.example.org then the smallest we would match is a.example.org, which is the same - // length. So anything longer than what we're matching against isn't valid. - - // Since the IDNA punycode conversion was applied already this holds even - // in Unicode requests. - if (candidate->length > cchHostname) - { - return 0; - } - - char* candidateStr; - int i; - int hostnameFirstDot = -1; - - if (candidate->type != typeMatch) - { - return 0; - } - - // Great, candidateStr is just candidate->data! - candidateStr = (char*)(candidate->data); - - // First, verify that the string is alphanumeric, plus hyphens or periods and maybe starting with an asterisk. - for (i = 0; i < candidate->length; ++i) - { - char c = candidateStr[i]; - - if ((c < 'A' || c > 'Z') && (c < 'a' || c > 'z') && (c < '0' || c > '9') && (c != '.') && (c != '-') && - (c != '*' || i != 0)) - { - return 0; - } - } - - if (candidateStr[0] != '*') - { - if (candidate->length != cchHostname) - { - return 0; - } - - return !strncasecmp((const char*)candidateStr, hostname, (size_t)cchHostname); - } - - for (i = 0; i < cchHostname; ++i) - { - if (hostname[i] == '.') - { - hostnameFirstDot = i; - break; - } - } - - if (hostnameFirstDot < 0) - { - // It's possible that this should be considered a match if the entire SAN entry is '*', - // aka candidate->length == 1; but nothing talks about this case. - return 0; - } - - int foundSecondDot = 0; - - for (i = hostnameFirstDot + 1; i < cchHostname; ++i) - { - if (hostname[i] == '.') - { - foundSecondDot = 1; - break; - } - } - - // OpenSSL requires two dots for their hostname match. - if (!foundSecondDot) - { - return 0; - } - - { - // Determine how many characters exist after the portion the wildcard would match. For example, - // if hostname is 10 bytes long, and the '.' was at index 3, then we eliminate the first 3 - // characters (www) from the match constraint. This forces the wildcard to be the last - // character before the . in its match group. - int matchLength = cchHostname - hostnameFirstDot; - - // If what's left over from hostname isn't as long as what's left over from the candidate - // after the first character was an asterisk, it can't match. - if (matchLength != (candidate->length - 1)) - { - return 0; - } - - return !strncasecmp(candidateStr + 1, hostname + hostnameFirstDot, (size_t)matchLength); - } -} - -int32_t local_X509_check_host(X509* x509, const char* name, size_t namelen, unsigned int flags, char** peername) -{ - assert(peername == NULL); - assert(flags == X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); - (void)flags; - (void)peername; - - GENERAL_NAMES* san = (GENERAL_NAMES*)(X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL)); - int readSubject = 1; - int success = 0; - - // RFC2818 says that if ANY dNSName alternative name field is present then - // we should ignore the subject common name. - - if (san != NULL) - { - int count = sk_GENERAL_NAME_num(san); - - for (int i = 0; i < count; ++i) - { - GENERAL_NAME* sanEntry = sk_GENERAL_NAME_value(san, i); - - if (sanEntry->type != GEN_DNS) - { - continue; - } - - readSubject = 0; - - // A GEN_DNS name is supposed to be a V_ASN1_IA5STRING. - // If it isn't, we don't know how to read it. - if (CheckX509HostnameMatch(sanEntry->d.dNSName, name, (int)namelen, V_ASN1_IA5STRING)) - { - success = 1; - break; - } - } - - GENERAL_NAMES_free(san); - } - - if (readSubject) - { - assert(success == 0); - - // This is a shared/interor pointer, do not free! - X509_NAME* subject = X509_get_subject_name(x509); - - if (subject != NULL) - { - int i = -1; - - while ((i = X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0) - { - // Shared/interior pointers, do not free! - X509_NAME_ENTRY* nameEnt = X509_NAME_get_entry(subject, i); - ASN1_STRING* cn = X509_NAME_ENTRY_get_data(nameEnt); - - // For compatibility with previous .NET builds, allow any type of - // string for CN, provided it ended up with a single-byte encoding (otherwise - // strncasecmp simply won't match). - if (CheckX509HostnameMatch(cn, name, (int)namelen, cn->type)) - { - success = 1; - break; - } - } - } - } - - return success; -} - -X509Stack* local_X509_STORE_CTX_get0_chain(X509_STORE_CTX* ctx) -{ - return ctx ? ctx->chain : NULL; -} - -X509_STORE* local_X509_STORE_CTX_get0_store(X509_STORE_CTX* ctx) -{ - return ctx ? ctx->ctx: NULL; -} - -X509Stack* local_X509_STORE_CTX_get0_untrusted(X509_STORE_CTX* ctx) -{ - return ctx ? ctx->untrusted : NULL; -} - -X509* local_X509_STORE_CTX_get0_cert(X509_STORE_CTX* ctx) -{ - return ctx ? ctx->cert : NULL; -} - -X509_VERIFY_PARAM* local_X509_STORE_get0_param(X509_STORE* ctx) -{ - return ctx ? ctx->param: NULL; -} - -int32_t local_X509_up_ref(X509* x509) -{ - if (x509 != NULL) - { - return CRYPTO_add_lock(&x509->references, 1, CRYPTO_LOCK_X509, __FILE__, __LINE__) > 1; - } - - return 0; -} - -unsigned long local_SSL_CTX_set_options(SSL_CTX* ctx, unsigned long options) -{ - // SSL_CTX_ctrl is signed long in and signed long out; but SSL_CTX_set_options, - // which was a macro call to SSL_CTX_ctrl in 1.0, is unsigned/unsigned. - return (unsigned long)SSL_CTX_ctrl(ctx, SSL_CTRL_OPTIONS, (long)options, NULL); -} - -unsigned long local_SSL_set_options(SSL* ssl, unsigned long options) -{ - // SSL_ctrl is signed long in and signed long out; but SSL_set_options, - // which was a macro call to SSL_ctrl in 1.0, is unsigned/unsigned. - return (unsigned long)SSL_ctrl(ssl, SSL_CTRL_OPTIONS, (long)options, NULL); -} - -int local_SSL_session_reused(SSL* ssl) -{ - return (int)SSL_ctrl(ssl, SSL_CTRL_GET_SESSION_REUSED, 0, NULL); -} - -void local_SSL_CTX_set_security_level(SSL_CTX* ctx, int32_t level) -{ - (void)ctx; - (void)level; -} - -void local_SSL_set_security_level(SSL* ssl, int32_t level) -{ - (void)ssl; - (void)level; -} - -void local_SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) -{ - (void)ctx; - (void)cb; -} - -int local_BIO_up_ref(BIO *bio) -{ - if (!bio) - { - return 0; - } - - return CRYPTO_add_lock(&bio->references, 1, CRYPTO_LOCK_BIO, __FILE__, __LINE__) > 1; -} - -int32_t local_RSA_pkey_ctx_ctrl(EVP_PKEY_CTX* ctx, int32_t optype, int32_t cmd, int32_t p1, void* p2) -{ - // On OpenSSL 1.0.2 there aren't two different identifiers for RSA, - // so just pass the request on th EVP_PKEY_CTX_ctrl with the only identifier defined. - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, optype, cmd, p1, p2); -} - -int local_RSA_test_flags(const RSA *r, int flags) -{ - return r->flags & flags; -} - -int local_EVP_PKEY_check(EVP_PKEY_CTX* ctx) -{ - EVP_PKEY* pkey = EVP_PKEY_CTX_get0_pkey(ctx); - - if (pkey == NULL) - { - ERR_put_error(ERR_LIB_EVP, 0, EVP_R_INPUT_NOT_INITIALIZED, __FILE__, __LINE__); - return -1; - } - - int id = EVP_PKEY_get_base_id(pkey); - - switch (id) - { - case NID_rsaEncryption: - { - const RSA* rsa = EVP_PKEY_get0_RSA(pkey); - - if (rsa != NULL) - { - return RSA_check_key(rsa); - } - - break; - } - default: - ERR_put_error(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_ALGORITHM, __FILE__, __LINE__); - return -1; - } - - ERR_put_error(ERR_LIB_EVP, 0, EVP_R_NO_KEY_SET, __FILE__, __LINE__); - return -1; -} - -int local_EVP_PKEY_public_check(EVP_PKEY_CTX* ctx) -{ - EVP_PKEY* pkey = EVP_PKEY_CTX_get0_pkey(ctx); - - if (pkey == NULL) - { - ERR_put_error(ERR_LIB_EVP, 0, EVP_R_INPUT_NOT_INITIALIZED, __FILE__, __LINE__); - return -1; - } - - int id = EVP_PKEY_get_base_id(pkey); - - switch (id) - { - case NID_rsaEncryption: - { - ERR_put_error(ERR_LIB_EVP, 0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE, __FILE__, __LINE__); - return -2; - } - default: - ERR_put_error(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_ALGORITHM, __FILE__, __LINE__); - return -1; - } -} - -int local_ASN1_TIME_to_tm(const ASN1_TIME* s, struct tm* tm) -{ - (void)s; - (void)tm; - - return 0; -} - -int local_BN_is_zero(const BIGNUM* a) -{ - return a->top == 0; -} - -int local_BN_is_one(const BIGNUM* a) -{ - return BN_abs_is_word(a, 1) && !a->neg; -} - -int local_BN_abs_is_word(const BIGNUM *a, const BN_ULONG w) -{ - return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0)); -} - -int local_BN_is_odd(const BIGNUM* a) -{ - return (a->top > 0) && (a->d[0] & 1); -} - -#endif diff --git a/src/native/libs/System.Security.Cryptography.Native/apibridge.h b/src/native/libs/System.Security.Cryptography.Native/apibridge.h deleted file mode 100644 index ae305b977629dd..00000000000000 --- a/src/native/libs/System.Security.Cryptography.Native/apibridge.h +++ /dev/null @@ -1,73 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. - -// Functions based on OpenSSL 1.1 API, used when building against/running with OpenSSL 1.0 - -#pragma once -#include "pal_types.h" - -int local_ASN1_TIME_to_tm(const ASN1_TIME* s, struct tm* tm); -int local_BN_abs_is_word(const BIGNUM *a, const BN_ULONG w); -int local_BN_is_zero(const BIGNUM* a); -int local_BN_is_odd(const BIGNUM* a); -int local_BN_is_one(const BIGNUM* a); -int local_BIO_up_ref(BIO *a); -const BIGNUM* local_DSA_get0_key(const DSA* dsa, const BIGNUM** pubKey, const BIGNUM** privKey); -void local_DSA_get0_pqg(const DSA* dsa, const BIGNUM** p, const BIGNUM** q, const BIGNUM** g); -const DSA_METHOD* local_DSA_get_method(const DSA* dsa); -int32_t local_DSA_set0_key(DSA* dsa, BIGNUM* bnY, BIGNUM* bnX); -int32_t local_DSA_set0_pqg(DSA* dsa, BIGNUM* bnP, BIGNUM* bnQ, BIGNUM* bnG); -void local_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX* ctx); -EVP_CIPHER_CTX* local_EVP_CIPHER_CTX_new(void); -int32_t local_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX* ctx); -int local_EVP_PKEY_check(EVP_PKEY_CTX* ctx); -RSA* local_EVP_PKEY_get0_RSA(EVP_PKEY* pkey); -int local_EVP_PKEY_public_check(EVP_PKEY_CTX* ctx); -int32_t local_EVP_PKEY_up_ref(EVP_PKEY* pkey); -void local_HMAC_CTX_free(HMAC_CTX* ctx); -HMAC_CTX* local_HMAC_CTX_new(void); -long local_OpenSSL_version_num(void); -void local_RSA_get0_crt_params(const RSA* rsa, const BIGNUM** dmp1, const BIGNUM** dmq1, const BIGNUM** iqmp); -void local_RSA_get0_factors(const RSA* rsa, const BIGNUM** p, const BIGNUM** q); -void local_RSA_get0_key(const RSA* rsa, const BIGNUM** n, const BIGNUM** e, const BIGNUM** d); -int local_RSA_get_multi_prime_extra_count(const RSA* r); -int32_t local_RSA_meth_get_flags(const RSA_METHOD* meth); -int32_t local_RSA_set0_crt_params(RSA* rsa, BIGNUM* dmp1, BIGNUM* dmq1, BIGNUM* iqmp); -int32_t local_RSA_set0_factors(RSA* rsa, BIGNUM* p, BIGNUM* q); -int32_t local_RSA_set0_key(RSA* rsa, BIGNUM* n, BIGNUM* e, BIGNUM* d); -int local_RSA_test_flags(const RSA *r, int flags); -int32_t local_RSA_pkey_ctx_ctrl(EVP_PKEY_CTX* ctx, int32_t optype, int32_t cmd, int32_t p1, void* p2); -int32_t local_SSL_is_init_finished(const SSL* ssl); -int32_t local_SSL_CTX_config(SSL_CTX* ctx, const char* name); -unsigned long local_SSL_CTX_set_options(SSL_CTX* ctx, unsigned long options); -unsigned long local_SSL_set_options(SSL* ssl, unsigned long options); -void local_SSL_CTX_set_security_level(SSL_CTX* ctx, int32_t level); -void local_SSL_set_security_level(SSL* ssl, int32_t level); -int local_SSL_session_reused(SSL* ssl); -int32_t local_X509_check_host(X509* x509, const char* name, size_t namelen, unsigned int flags, char** peername); -const ASN1_TIME* local_X509_CRL_get0_nextUpdate(const X509_CRL* crl); -int32_t local_X509_NAME_get0_der(X509_NAME* x509Name, const uint8_t** pder, size_t* pderlen); -int32_t local_X509_PUBKEY_get0_param( - ASN1_OBJECT** palgOid, const uint8_t** pkeyBytes, int* pkeyBytesLen, X509_ALGOR** palg, X509_PUBKEY* pubkey); -STACK_OF(X509)* local_X509_STORE_CTX_get0_chain(X509_STORE_CTX* ctx); -X509* local_X509_STORE_CTX_get0_cert(X509_STORE_CTX* ctx); -X509_STORE* local_X509_STORE_CTX_get0_store(X509_STORE_CTX* ctx); -STACK_OF(X509)* local_X509_STORE_CTX_get0_untrusted(X509_STORE_CTX* ctx); -X509_VERIFY_PARAM* local_X509_STORE_get0_param(X509_STORE* ctx); -const ASN1_TIME* local_X509_get0_notAfter(const X509* x509); -const ASN1_TIME* local_X509_get0_notBefore(const X509* x509); -ASN1_BIT_STRING* local_X509_get0_pubkey_bitstr(const X509* x509); -int local_X509_set1_notBefore(X509* x509, const ASN1_TIME*); -int local_X509_set1_notAfter(X509* x509, const ASN1_TIME*); -const X509_ALGOR* local_X509_get0_tbs_sigalg(const X509* x509); -X509_PUBKEY* local_X509_get_X509_PUBKEY(const X509* x509); -int32_t local_X509_get_version(const X509* x509); -int32_t local_X509_up_ref(X509* x509); -typedef void (*SSL_CTX_keylog_cb_func)(const SSL *ssl, const char *line); -void local_SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb); - -typedef void *(*CRYPTO_malloc_fn)(size_t num, const char *file, int line); -typedef void *(*CRYPTO_realloc_fn)(void *addr, size_t num, const char *file, int line); -typedef void (*CRYPTO_free_fn)(void *addr, const char *file, int line); - -int CRYPTO_set_mem_functions(CRYPTO_malloc_fn malloc_fn, CRYPTO_realloc_fn realloc_fn, CRYPTO_free_fn free_fn); diff --git a/src/native/libs/System.Security.Cryptography.Native/openssl.c b/src/native/libs/System.Security.Cryptography.Native/openssl.c index f84246656932d8..956ff1369a1541 100644 --- a/src/native/libs/System.Security.Cryptography.Native/openssl.c +++ b/src/native/libs/System.Security.Cryptography.Native/openssl.c @@ -22,11 +22,8 @@ #include #include -#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_1_1_0_RTM c_static_assert(CRYPTO_EX_INDEX_X509 == 3); -#else -c_static_assert(CRYPTO_EX_INDEX_X509 == 10); -#endif +c_static_assert(CRYPTO_EX_INDEX_SSL_SESSION == 2); // See X509NameType.SimpleName #define NAME_TYPE_SIMPLE 0 @@ -1152,7 +1149,7 @@ int32_t CryptoNative_LookupFriendlyNameByOid(const char* oidValue, const char** /* Function: -SSLeay (OpenSSL_version_num for OpenSSL 1.1+) +OpenSSL_version_num Gets the version of openssl library. @@ -1192,11 +1189,7 @@ static void ExDataFreeOcspResponse( // In the OpenSSL 3 headers, `from_d` changed from (void*) to (void**). static int ExDataDupOcspResponse( CRYPTO_EX_DATA* to, -#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_1_1_0_RTM const CRYPTO_EX_DATA* from, -#else - CRYPTO_EX_DATA* from, -#endif #if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_3_0_RTM void** from_d, #else @@ -1249,11 +1242,7 @@ static void ExDataFreeNoOp( static int ExDataDupNoOp( CRYPTO_EX_DATA* to, -#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_1_1_0_RTM const CRYPTO_EX_DATA* from, -#else - CRYPTO_EX_DATA* from, -#endif #if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_3_0_RTM void** from_d, #else @@ -1313,150 +1302,6 @@ int32_t CryptoNative_IsSignatureAlgorithmAvailable(const char* algorithm) return ret; } -#ifdef NEED_OPENSSL_1_0 -// Lock used to make sure EnsureopenSslInitialized itself is thread safe -static pthread_mutex_t g_initLock = PTHREAD_MUTEX_INITIALIZER; - -// Set of locks initialized for OpenSSL -static pthread_mutex_t* g_locks = NULL; - -/* -Function: -LockingCallback - -Called back by OpenSSL to lock or unlock. -*/ -static void LockingCallback(int mode, int n, const char* file, int line) -{ - (void)file, (void)line; // deliberately unused parameters - -// Clang complains about releasing locks that are not held. -#pragma clang diagnostic push -#pragma clang diagnostic ignored "-Wthread-safety-analysis" - -#ifndef CRYPTO_LOCK -#define CRYPTO_LOCK 1 -#endif - - int result; - if (mode & CRYPTO_LOCK) - { - result = pthread_mutex_lock(&g_locks[n]); - } - else - { - result = pthread_mutex_unlock(&g_locks[n]); - } - - if (result != 0) - { - assert(0 && "LockingCallback failed."); - } -#pragma clang diagnostic pop -} - -/* -Function: -EnsureOpenSslInitialized - -Initializes OpenSSL with a locking callback to ensure thread safety. - -Return values: -0 on success -non-zero on failure -*/ -static int32_t EnsureOpenSsl10Initialized(void) -{ - int ret = 0; - int numLocks = 0; - int locksInitialized = 0; - int randPollResult = 0; - size_t allocationSize = 0; - - pthread_mutex_lock(&g_initLock); - - if (g_locks != NULL) - { - // Already initialized; nothing more to do. - goto done; - } - - // Determine how many locks are needed - numLocks = CRYPTO_num_locks(); - if (numLocks <= 0) - { - assert(0 && "CRYPTO_num_locks returned invalid value."); - ret = 1; - goto done; - } - - // Create the locks array - if (!multiply_s(sizeof(pthread_mutex_t), (size_t)numLocks, &allocationSize)) - { - ret = 2; - goto done; - } - - g_locks = (pthread_mutex_t*)malloc(allocationSize); - if (g_locks == NULL) - { - ret = 2; - goto done; - } - - // Initialize each of the locks - for (locksInitialized = 0; locksInitialized < numLocks; locksInitialized++) - { - if (pthread_mutex_init(&g_locks[locksInitialized], NULL) != 0) - { - ret = 3; - goto done; - } - } - - // Initialize the callback - CRYPTO_set_locking_callback(LockingCallback); - - // Initialize the random number generator seed - randPollResult = RAND_poll(); - if (randPollResult < 1) - { - ret = 4; - goto done; - } - - // Load the SHA-2 hash algorithms, and anything else not in the default - // support set. - OPENSSL_add_all_algorithms_conf(); - - // Ensure that the error message table is loaded. - ERR_load_crypto_strings(); - - // In OpenSSL 1.0.2-, CRYPTO_EX_INDEX_X509 is 10. - g_x509_ocsp_index = CRYPTO_get_ex_new_index(10, 0, NULL, NULL, ExDataDupOcspResponse, ExDataFreeOcspResponse); - // In OpenSSL 1.0.2-, CRYPTO_EX_INDEX_SSL_SESSION is 3. - g_ssl_sess_cert_index = CRYPTO_get_ex_new_index(3, 0, NULL, NULL, ExDataDupNoOp, ExDataFreeNoOp); - -done: - if (ret != 0) - { - // Cleanup on failure - if (g_locks != NULL) - { - for (int i = locksInitialized - 1; i >= 0; i--) - { - pthread_mutex_destroy(&g_locks[i]); // ignore failures - } - free(g_locks); - g_locks = NULL; - } - } - - pthread_mutex_unlock(&g_initLock); - return ret; -} -#endif // NEED_OPENSSL_1_0 */ - #if defined NEED_OPENSSL_1_1 || defined NEED_OPENSSL_3_0 // Only defined in OpenSSL 1.1.1+, has no effect on 1.1.0. @@ -1483,16 +1328,12 @@ static void HandleShutdown(void) static int32_t EnsureOpenSsl11Initialized(void) { - // In OpenSSL 1.0 we call OPENSSL_add_all_algorithms_conf() and ERR_load_crypto_strings(), - // so do the same for 1.1 OPENSSL_init_ssl( - // OPENSSL_add_all_algorithms_conf OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG | - // Do not unload on process exit, as the CLR may still have threads running + // Do not unload on process exit, as the CLR may still have threads running OPENSSL_INIT_NO_ATEXIT | - // ERR_load_crypto_strings OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); @@ -1528,11 +1369,6 @@ int g_ssl_sess_cert_index = -1; static int32_t EnsureOpenSslInitializedCore(void) { - int ret = 0; - - // If portable then decide which OpenSSL we are, and call the right one. - // If 1.0, call the 1.0 one. - // Otherwise call the 1.1 one. #ifdef FEATURE_DISTRO_AGNOSTIC_SSL InitializeOpenSSLShim(); #endif @@ -1540,25 +1376,10 @@ static int32_t EnsureOpenSslInitializedCore(void) // And it also needs to be after the pointers are loaded for DISTRO_AGNOSTIC_SSL InitializeMemoryDebug(); -#ifdef FEATURE_DISTRO_AGNOSTIC_SSL - if (API_EXISTS(SSL_state)) - { - ret = EnsureOpenSsl10Initialized(); - } - else - { - ret = EnsureOpenSsl11Initialized(); - } -#elif OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM - ret = EnsureOpenSsl10Initialized(); -#else - ret = EnsureOpenSsl11Initialized(); -#endif + int ret = EnsureOpenSsl11Initialized(); if (ret == 0) { - // On OpenSSL 1.0.2 our expected index is 0. - // On OpenSSL 1.1.0+ 0 is a reserved value and we expect 1. assert(g_x509_ocsp_index != -1); assert(g_ssl_sess_cert_index != -1); } diff --git a/src/native/libs/System.Security.Cryptography.Native/openssl_1_0_structs.h b/src/native/libs/System.Security.Cryptography.Native/openssl_1_0_structs.h deleted file mode 100644 index f13fa7ba79d00c..00000000000000 --- a/src/native/libs/System.Security.Cryptography.Native/openssl_1_0_structs.h +++ /dev/null @@ -1,195 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. - -// Definitions of structures from OpenSSL 1.0.2, modified as relevant to -// building .NET. - -// The CRYPTO_EX_DATA struct is smaller in 1.1, which changes the packing of -// dsa_st -struct crypto_ex_data_10_st -{ - STACK_OF(void) * sk; - int dummy; -}; - -struct dsa_st -{ - int _ignored0; - long _ignored1; - int _ignored2; - BIGNUM* p; - BIGNUM* q; - BIGNUM* g; - BIGNUM* pub_key; - BIGNUM* priv_key; - const void* _ignored3; - const void* _ignored4; - int _ignored5; - const void* _ignored6; - int _ignored7; - struct crypto_ex_data_10_st ex_data; - const DSA_METHOD* meth; -}; - -struct evp_cipher_ctx_st -{ - // 0xA8 is the sizeof value when building against OpenSSL 1.0.2 on - // Ubuntu 16.04 - unsigned char _ignored0[0xA8]; -}; - -struct evp_pkey_st -{ - int _ignored0; - int _ignored1; - int references; -}; - -struct hmac_ctx_st -{ - // 0x120 is the sizeof value when building against OpenSSL 1.0.2 on - // Ubuntu 16.04 - unsigned char _ignored0[0x120]; -}; - -struct rsa_meth_st -{ - const void* _ignored0; - const void* _ignored1; - const void* _ignored2; - const void* _ignored3; - const void* _ignored4; - const void* _ignored5; - const void* _ignored6; - const void* _ignored7; - const void* _ignored8; - int flags; -}; - -struct rsa_st -{ - int _ignored0; - long _ignored1; - const RSA_METHOD* meth; - const void* _ignored2; - BIGNUM* n; - BIGNUM* e; - BIGNUM* d; - BIGNUM* p; - BIGNUM* q; - BIGNUM* dmp1; - BIGNUM* dmq1; - BIGNUM* iqmp; - struct crypto_ex_data_10_st ex_data; - int _ignored3; - int flags; -}; - -struct x509_cinf_st -{ - ASN1_INTEGER* version; - ASN1_INTEGER* serialNumber; - X509_ALGOR* signature; - X509_NAME* issuer; - X509_VAL* validity; - X509_NAME* subject; - X509_PUBKEY* key; -}; - -struct X509_crl_info_st -{ - const void* _ignored0; - const void* _ignored1; - const void* _ignored2; - const void* _ignored3; - ASN1_TIME* nextUpdate; -}; - -struct X509_crl_st -{ - X509_CRL_INFO* crl; -}; - -struct X509_name_st -{ - STACK_OF(X509_NAME_ENTRY) * entries; - int _ignored0; - BUF_MEM* bytes; -}; - -struct X509_pubkey_st -{ - X509_ALGOR* algor; - ASN1_BIT_STRING* public_key; -}; - -struct x509_st -{ - X509_CINF* cert_info; - const void* _ignored0; - const void* _ignored1; - int _ignored2; - int references; -}; - -struct x509_store_ctx_st -{ - X509_STORE* ctx; - int _ignored1; - X509* cert; - STACK_OF(X509*) untrusted; - const void* _ignored2; - const void* _ignored3; - const void* _ignored4; - // For comparison purposes to the 1.0.x headers: - // BEGIN FUNCTION POINTERS - const void* _ignored5; - const void* _ignored6; - const void* _ignored7; - const void* _ignored8; - const void* _ignored9; - const void* _ignored10; - const void* _ignored11; - const void* _ignored12; - const void* _ignored13; - const void* _ignored14; - const void* _ignored15; - const void* _ignored16; - // END FUNCTION POINTERS - int _ignored17; - int _ignored18; - STACK_OF(X509*) chain; -}; - -struct x509_store_st -{ - int _ignored0; - const void* _ignored1; - const void* _ignored2; - X509_VERIFY_PARAM* param; -}; - -struct bio_st -{ - const void* _ignored1; - const void* _ignored2; - const void* _ignored3; - int _ignored4; - int _ignored5; - int _ignored6; - int _ignored7; - int _ignored8; - const void*_ignored9; - const void*_ignored10; - const void*_ignored11; - int references; -}; - -struct bignum_st -{ - BN_ULONG *d; - int top; - int dmax; - int neg; - int flags; -}; diff --git a/src/native/libs/System.Security.Cryptography.Native/opensslshim.c b/src/native/libs/System.Security.Cryptography.Native/opensslshim.c index d99f9fd913bffe..42e64d9039f0f1 100644 --- a/src/native/libs/System.Security.Cryptography.Native/opensslshim.c +++ b/src/native/libs/System.Security.Cryptography.Native/opensslshim.c @@ -13,17 +13,13 @@ // Define pointers to all the used OpenSSL functions #define REQUIRED_FUNCTION(fn) TYPEOF(fn) fn##_ptr; -#define REQUIRED_FUNCTION_110(fn) TYPEOF(fn) fn##_ptr; #define LIGHTUP_FUNCTION(fn) TYPEOF(fn) fn##_ptr; #define FALLBACK_FUNCTION(fn) TYPEOF(fn) fn##_ptr; #define RENAMED_FUNCTION(fn,oldfn) TYPEOF(fn) fn##_ptr; -#define LEGACY_FUNCTION(fn) TYPEOF(fn) fn##_ptr; FOR_ALL_OPENSSL_FUNCTIONS -#undef LEGACY_FUNCTION #undef RENAMED_FUNCTION #undef FALLBACK_FUNCTION #undef LIGHTUP_FUNCTION -#undef REQUIRED_FUNCTION_110 #undef REQUIRED_FUNCTION #if defined(TARGET_ARM) && defined(TARGET_LINUX) TYPEOF(OPENSSL_gmtime) OPENSSL_gmtime_ptr; @@ -108,26 +104,6 @@ static void OpenLibraryOnce(void) DlOpen(MAKELIB("1.1")); } - if (libssl == NULL) - { - // Debian 9 has dropped support for SSLv3 and so they have bumped their soname. Let's try it - // before trying the version 1.0.0 to make it less probable that some of our other dependencies - // end up loading conflicting version of libssl. - DlOpen(MAKELIB("1.0.2")); - } - - if (libssl == NULL) - { - // Now try the default versioned so naming as described in the OpenSSL doc - DlOpen(MAKELIB("1.0.0")); - } - - if (libssl == NULL) - { - // Fedora derived distros use different naming for the version 1.0.0 - DlOpen(MAKELIB("10")); - } - #ifdef __FreeBSD__ // The ports version of OpenSSL is used over base where possible if (libssl == NULL) @@ -180,10 +156,6 @@ void InitializeOpenSSLShim(void) abort(); } - // A function defined in libcrypto.so.1.0.0/libssl.so.1.0.0 that is not defined in - // libcrypto.so.1.1.0/libssl.so.1.1.0 - const void* v1_0_sentinel = dlsym(libssl, "SSL_state"); - // Only permit a single assignment here so that two assemblies both triggering the initializer doesn't cause a // race where the fn_ptr is nullptr, then properly bound, then goes back to nullptr right before being used (then bound again). void* volatile tmp_ptr; @@ -192,9 +164,6 @@ void InitializeOpenSSLShim(void) #define REQUIRED_FUNCTION(fn) \ if (!(fn##_ptr = (TYPEOF(fn))(dlsym(libssl, #fn)))) { fprintf(stderr, "Cannot get required symbol " #fn " from libssl\n"); abort(); } -#define REQUIRED_FUNCTION_110(fn) \ - if (!v1_0_sentinel && !(fn##_ptr = (TYPEOF(fn))(dlsym(libssl, #fn)))) { fprintf(stderr, "Cannot get required symbol " #fn " from libssl\n"); abort(); } - #define LIGHTUP_FUNCTION(fn) \ fn##_ptr = (TYPEOF(fn))(dlsym(libssl, #fn)); @@ -207,15 +176,10 @@ void InitializeOpenSSLShim(void) if (!tmp_ptr && !(tmp_ptr = dlsym(libssl, #oldfn))) { fprintf(stderr, "Cannot get required symbol " #oldfn " from libssl\n"); abort(); } \ fn##_ptr = (TYPEOF(fn))tmp_ptr; -#define LEGACY_FUNCTION(fn) \ - if (v1_0_sentinel && !(fn##_ptr = (TYPEOF(fn))(dlsym(libssl, #fn)))) { fprintf(stderr, "Cannot get required symbol " #fn " from libssl\n"); abort(); } - FOR_ALL_OPENSSL_FUNCTIONS -#undef LEGACY_FUNCTION #undef RENAMED_FUNCTION #undef FALLBACK_FUNCTION #undef LIGHTUP_FUNCTION -#undef REQUIRED_FUNCTION_110 #undef REQUIRED_FUNCTION #if defined(TARGET_ARM) && defined(TARGET_LINUX) if (!(OPENSSL_gmtime_ptr = (TYPEOF(OPENSSL_gmtime))(dlsym(libssl, "OPENSSL_gmtime")))) { fprintf(stderr, "Cannot get required symbol OPENSSL_gmtime from libssl\n"); abort(); } @@ -234,7 +198,7 @@ void InitializeOpenSSLShim(void) #if defined(TARGET_ARM) && defined(TARGET_LINUX) c_static_assert_msg(sizeof(time_t) == 8, "Build requires 64-bit time_t."); - + // This value will represent a time in year 2038 if 64-bit time is used, // or 1901 if the lower 32 bits are interpreted as a 32-bit time_t value. time_t timeVal = (time_t)0x80000000U; diff --git a/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/native/libs/System.Security.Cryptography.Native/opensslshim.h index fc4cc6c0459e0f..db613a21d546bf 100644 --- a/src/native/libs/System.Security.Cryptography.Native/opensslshim.h +++ b/src/native/libs/System.Security.Cryptography.Native/opensslshim.h @@ -41,7 +41,6 @@ #define OPENSSL_VERSION_3_0_RTM 0x30000000L #define OPENSSL_VERSION_1_1_1_RTM 0x10101000L #define OPENSSL_VERSION_1_1_0_RTM 0x10100000L -#define OPENSSL_VERSION_1_0_2_RTM 0x10002000L #if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_3_0_RTM #include @@ -69,29 +68,6 @@ #define HAVE_OPENSSL_RC2 0 #endif - -#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM - -// Remove problematic #defines -#undef BN_abs_is_word -#undef BN_is_odd -#undef BN_is_one -#undef BN_is_zero -#undef SSL_get_state -#undef SSL_is_init_finished -#undef X509_get_X509_PUBKEY -#undef X509_get_version - -#endif - -#ifdef EVP_MD_CTX_create -#undef EVP_MD_CTX_create -#undef EVP_MD_CTX_init -#undef EVP_MD_CTX_destroy -#undef RSA_PKCS1_SSLeay -#undef SSLv23_method -#endif - #ifdef ERR_put_error #undef ERR_put_error void ERR_put_error(int32_t lib, int32_t func, int32_t reason, const char* file, int32_t line); @@ -178,9 +154,6 @@ c_static_assert(EVP_PKEY_PUBLIC_KEY == 134); #if defined FEATURE_DISTRO_AGNOSTIC_SSL || OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_3_0_RTM #include "apibridge_30.h" #endif -#if defined FEATURE_DISTRO_AGNOSTIC_SSL || OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM -#include "apibridge.h" -#endif #ifdef FEATURE_DISTRO_AGNOSTIC_SSL @@ -212,14 +185,8 @@ int SSL_set_ciphersuites(SSL *s, const char *str); const SSL_CIPHER* SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr); #endif -#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_3_0_RTM -#include "osslcompat_102.h" -#elif OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_1_1_0_RTM -#include "osslcompat_30.h" -#include "osslcompat_102.h" -#else +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_3_0_RTM #include "osslcompat_30.h" -#include "osslcompat_111.h" #endif #if !HAVE_OPENSSL_ALPN @@ -312,7 +279,7 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(ASN1_STRING_print_ex) \ REQUIRED_FUNCTION(ASN1_TIME_new) \ REQUIRED_FUNCTION(ASN1_TIME_set) \ - FALLBACK_FUNCTION(ASN1_TIME_to_tm) \ + REQUIRED_FUNCTION(ASN1_TIME_to_tm) \ REQUIRED_FUNCTION(ASN1_TIME_free) \ REQUIRED_FUNCTION(BIO_ctrl) \ REQUIRED_FUNCTION(BIO_ctrl_pending) \ @@ -321,10 +288,10 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(BIO_new) \ REQUIRED_FUNCTION(BIO_new_file) \ REQUIRED_FUNCTION(BIO_read) \ - FALLBACK_FUNCTION(BIO_up_ref) \ + REQUIRED_FUNCTION(BIO_up_ref) \ REQUIRED_FUNCTION(BIO_s_mem) \ REQUIRED_FUNCTION(BIO_write) \ - FALLBACK_FUNCTION(BN_abs_is_word) \ + REQUIRED_FUNCTION(BN_abs_is_word) \ REQUIRED_FUNCTION(BN_bin2bn) \ REQUIRED_FUNCTION(BN_bn2bin) \ REQUIRED_FUNCTION(BN_clear_free) \ @@ -333,9 +300,9 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(BN_dup) \ REQUIRED_FUNCTION(BN_free) \ REQUIRED_FUNCTION(BN_gcd) \ - FALLBACK_FUNCTION(BN_is_odd) \ - FALLBACK_FUNCTION(BN_is_one) \ - FALLBACK_FUNCTION(BN_is_zero) \ + REQUIRED_FUNCTION(BN_is_odd) \ + REQUIRED_FUNCTION(BN_is_one) \ + REQUIRED_FUNCTION(BN_is_zero) \ REQUIRED_FUNCTION(BN_mod_inverse) \ REQUIRED_FUNCTION(BN_mod_mul) \ REQUIRED_FUNCTION(BN_mul) \ @@ -346,12 +313,9 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(BN_value_one) \ REQUIRED_FUNCTION(BN_CTX_new) \ REQUIRED_FUNCTION(BN_CTX_free) \ - LEGACY_FUNCTION(CRYPTO_add_lock) \ REQUIRED_FUNCTION(CRYPTO_free) \ REQUIRED_FUNCTION(CRYPTO_get_ex_new_index) \ REQUIRED_FUNCTION(CRYPTO_malloc) \ - LEGACY_FUNCTION(CRYPTO_num_locks) \ - LEGACY_FUNCTION(CRYPTO_set_locking_callback) \ REQUIRED_FUNCTION(CRYPTO_set_mem_functions) \ REQUIRED_FUNCTION(d2i_OCSP_RESPONSE) \ REQUIRED_FUNCTION(d2i_PKCS12_fp) \ @@ -367,13 +331,13 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(DSA_free) \ REQUIRED_FUNCTION(DSA_generate_key) \ REQUIRED_FUNCTION(DSA_generate_parameters_ex) \ - FALLBACK_FUNCTION(DSA_get0_key) \ - FALLBACK_FUNCTION(DSA_get0_pqg) \ - FALLBACK_FUNCTION(DSA_get_method) \ + REQUIRED_FUNCTION(DSA_get0_key) \ + REQUIRED_FUNCTION(DSA_get0_pqg) \ + REQUIRED_FUNCTION(DSA_get_method) \ REQUIRED_FUNCTION(DSA_new) \ REQUIRED_FUNCTION(DSA_OpenSSL) \ - FALLBACK_FUNCTION(DSA_set0_key) \ - FALLBACK_FUNCTION(DSA_set0_pqg) \ + REQUIRED_FUNCTION(DSA_set0_key) \ + REQUIRED_FUNCTION(DSA_set0_pqg) \ REQUIRED_FUNCTION(DSA_sign) \ REQUIRED_FUNCTION(DSA_size) \ REQUIRED_FUNCTION(DSA_up_ref) \ @@ -429,7 +393,6 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(ERR_clear_error) \ REQUIRED_FUNCTION(ERR_error_string_n) \ REQUIRED_FUNCTION(ERR_get_error) \ - LEGACY_FUNCTION(ERR_load_crypto_strings) \ LIGHTUP_FUNCTION(ERR_new) \ REQUIRED_FUNCTION(ERR_peek_error) \ REQUIRED_FUNCTION(ERR_peek_error_line) \ @@ -459,12 +422,10 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(EVP_aes_256_ecb) \ REQUIRED_FUNCTION(EVP_aes_256_gcm) \ LIGHTUP_FUNCTION(EVP_chacha20_poly1305) \ - LEGACY_FUNCTION(EVP_CIPHER_CTX_cleanup) \ REQUIRED_FUNCTION(EVP_CIPHER_CTX_ctrl) \ - FALLBACK_FUNCTION(EVP_CIPHER_CTX_free) \ - LEGACY_FUNCTION(EVP_CIPHER_CTX_init) \ - FALLBACK_FUNCTION(EVP_CIPHER_CTX_new) \ - FALLBACK_FUNCTION(EVP_CIPHER_CTX_reset) \ + REQUIRED_FUNCTION(EVP_CIPHER_CTX_free) \ + REQUIRED_FUNCTION(EVP_CIPHER_CTX_new) \ + REQUIRED_FUNCTION(EVP_CIPHER_CTX_reset) \ REQUIRED_FUNCTION(EVP_CIPHER_CTX_set_key_length) \ REQUIRED_FUNCTION(EVP_CIPHER_CTX_set_padding) \ RENAMED_FUNCTION(EVP_CIPHER_get_nid, EVP_CIPHER_nid) \ @@ -502,8 +463,8 @@ extern bool g_libSslUses32BitTime; LIGHTUP_FUNCTION(EVP_MAC_update) \ REQUIRED_FUNCTION(EVP_md5) \ REQUIRED_FUNCTION(EVP_MD_CTX_copy_ex) \ - RENAMED_FUNCTION(EVP_MD_CTX_free, EVP_MD_CTX_destroy) \ - RENAMED_FUNCTION(EVP_MD_CTX_new, EVP_MD_CTX_create) \ + REQUIRED_FUNCTION(EVP_MD_CTX_free) \ + REQUIRED_FUNCTION(EVP_MD_CTX_new) \ REQUIRED_FUNCTION(EVP_MD_CTX_set_flags) \ LIGHTUP_FUNCTION(EVP_MD_fetch) \ RENAMED_FUNCTION(EVP_MD_get_size, EVP_MD_size) \ @@ -523,7 +484,7 @@ extern bool g_libSslUses32BitTime; FALLBACK_FUNCTION(EVP_PKEY_CTX_set_rsa_padding) \ FALLBACK_FUNCTION(EVP_PKEY_CTX_set_rsa_pss_saltlen) \ FALLBACK_FUNCTION(EVP_PKEY_CTX_set_signature_md) \ - FALLBACK_FUNCTION(EVP_PKEY_check) \ + REQUIRED_FUNCTION(EVP_PKEY_check) \ LIGHTUP_FUNCTION(EVP_PKEY_decapsulate) \ LIGHTUP_FUNCTION(EVP_PKEY_decapsulate_init) \ REQUIRED_FUNCTION(EVP_PKEY_decrypt) \ @@ -540,7 +501,7 @@ extern bool g_libSslUses32BitTime; LIGHTUP_FUNCTION(EVP_PKEY_fromdata_init) \ RENAMED_FUNCTION(EVP_PKEY_get_base_id, EVP_PKEY_base_id) \ RENAMED_FUNCTION(EVP_PKEY_get_bits, EVP_PKEY_bits) \ - FALLBACK_FUNCTION(EVP_PKEY_get0_RSA) \ + REQUIRED_FUNCTION(EVP_PKEY_get0_RSA) \ LIGHTUP_FUNCTION(EVP_PKEY_get0_type_name) \ REQUIRED_FUNCTION(EVP_PKEY_get1_DSA) \ REQUIRED_FUNCTION(EVP_PKEY_get1_EC_KEY) \ @@ -549,14 +510,14 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(EVP_PKEY_keygen) \ REQUIRED_FUNCTION(EVP_PKEY_keygen_init) \ REQUIRED_FUNCTION(EVP_PKEY_new) \ - FALLBACK_FUNCTION(EVP_PKEY_public_check) \ + REQUIRED_FUNCTION(EVP_PKEY_public_check) \ REQUIRED_FUNCTION(EVP_PKEY_set1_DSA) \ REQUIRED_FUNCTION(EVP_PKEY_set1_EC_KEY) \ REQUIRED_FUNCTION(EVP_PKEY_set1_RSA) \ REQUIRED_FUNCTION(EVP_PKEY_sign) \ REQUIRED_FUNCTION(EVP_PKEY_sign_init) \ LIGHTUP_FUNCTION(EVP_PKEY_sign_message_init) \ - FALLBACK_FUNCTION(EVP_PKEY_up_ref) \ + REQUIRED_FUNCTION(EVP_PKEY_up_ref) \ REQUIRED_FUNCTION(EVP_PKEY_verify) \ REQUIRED_FUNCTION(EVP_PKEY_verify_init) \ LIGHTUP_FUNCTION(EVP_PKEY_verify_message_init) \ @@ -578,11 +539,9 @@ extern bool g_libSslUses32BitTime; LIGHTUP_FUNCTION(EVP_SIGNATURE_free) \ REQUIRED_FUNCTION(GENERAL_NAMES_free) \ REQUIRED_FUNCTION(HMAC) \ - LEGACY_FUNCTION(HMAC_CTX_cleanup) \ REQUIRED_FUNCTION(HMAC_CTX_copy) \ - FALLBACK_FUNCTION(HMAC_CTX_free) \ - LEGACY_FUNCTION(HMAC_CTX_init) \ - FALLBACK_FUNCTION(HMAC_CTX_new) \ + REQUIRED_FUNCTION(HMAC_CTX_free) \ + REQUIRED_FUNCTION(HMAC_CTX_new) \ REQUIRED_FUNCTION(HMAC_Final) \ REQUIRED_FUNCTION(HMAC_Init_ex) \ REQUIRED_FUNCTION(HMAC_Update) \ @@ -616,17 +575,16 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(OCSP_response_get1_basic) \ REQUIRED_FUNCTION(OCSP_RESPONSE_free) \ REQUIRED_FUNCTION(OCSP_RESPONSE_new) \ - LEGACY_FUNCTION(OPENSSL_add_all_algorithms_conf) \ REQUIRED_FUNCTION(OPENSSL_cleanse) \ - REQUIRED_FUNCTION_110(OPENSSL_init_ssl) \ - RENAMED_FUNCTION(OPENSSL_sk_free, sk_free) \ - RENAMED_FUNCTION(OPENSSL_sk_new_null, sk_new_null) \ - RENAMED_FUNCTION(OPENSSL_sk_num, sk_num) \ - RENAMED_FUNCTION(OPENSSL_sk_pop, sk_pop) \ - RENAMED_FUNCTION(OPENSSL_sk_pop_free, sk_pop_free) \ - RENAMED_FUNCTION(OPENSSL_sk_push, sk_push) \ - RENAMED_FUNCTION(OPENSSL_sk_value, sk_value) \ - FALLBACK_FUNCTION(OpenSSL_version_num) \ + REQUIRED_FUNCTION(OPENSSL_init_ssl) \ + REQUIRED_FUNCTION(OPENSSL_sk_free) \ + REQUIRED_FUNCTION(OPENSSL_sk_new_null) \ + REQUIRED_FUNCTION(OPENSSL_sk_num) \ + REQUIRED_FUNCTION(OPENSSL_sk_pop) \ + REQUIRED_FUNCTION(OPENSSL_sk_pop_free) \ + REQUIRED_FUNCTION(OPENSSL_sk_push) \ + REQUIRED_FUNCTION(OPENSSL_sk_value) \ + REQUIRED_FUNCTION(OpenSSL_version_num) \ LIGHTUP_FUNCTION(OSSL_LIB_CTX_free) \ LIGHTUP_FUNCTION(OSSL_LIB_CTX_new) \ LIGHTUP_FUNCTION(OSSL_PROVIDER_load) \ @@ -662,20 +620,20 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(RSA_free) \ REQUIRED_FUNCTION(RSA_generate_key_ex) \ REQUIRED_FUNCTION(RSA_get_method) \ - FALLBACK_FUNCTION(RSA_get_multi_prime_extra_count) \ - FALLBACK_FUNCTION(RSA_get0_crt_params) \ - FALLBACK_FUNCTION(RSA_get0_factors) \ - FALLBACK_FUNCTION(RSA_get0_key) \ - FALLBACK_FUNCTION(RSA_meth_get_flags) \ + REQUIRED_FUNCTION(RSA_get_multi_prime_extra_count) \ + REQUIRED_FUNCTION(RSA_get0_crt_params) \ + REQUIRED_FUNCTION(RSA_get0_factors) \ + REQUIRED_FUNCTION(RSA_get0_key) \ + REQUIRED_FUNCTION(RSA_meth_get_flags) \ REQUIRED_FUNCTION(RSA_new) \ - FALLBACK_FUNCTION(RSA_pkey_ctx_ctrl) \ - RENAMED_FUNCTION(RSA_PKCS1_OpenSSL, RSA_PKCS1_SSLeay) \ - FALLBACK_FUNCTION(RSA_set0_crt_params) \ - FALLBACK_FUNCTION(RSA_set0_factors) \ - FALLBACK_FUNCTION(RSA_set0_key) \ + REQUIRED_FUNCTION(RSA_pkey_ctx_ctrl) \ + REQUIRED_FUNCTION(RSA_PKCS1_OpenSSL) \ + REQUIRED_FUNCTION(RSA_set0_crt_params) \ + REQUIRED_FUNCTION(RSA_set0_factors) \ + REQUIRED_FUNCTION(RSA_set0_key) \ REQUIRED_FUNCTION(RSA_set_method) \ REQUIRED_FUNCTION(RSA_size) \ - FALLBACK_FUNCTION(RSA_test_flags) \ + REQUIRED_FUNCTION(RSA_test_flags) \ REQUIRED_FUNCTION(RSA_up_ref) \ REQUIRED_FUNCTION(RSA_verify) \ LIGHTUP_FUNCTION(SSL_CIPHER_find) \ @@ -689,11 +647,11 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(SSL_set_quiet_shutdown) \ REQUIRED_FUNCTION(SSL_CTX_callback_ctrl) \ REQUIRED_FUNCTION(SSL_CTX_check_private_key) \ - FALLBACK_FUNCTION(SSL_CTX_config) \ + REQUIRED_FUNCTION(SSL_CTX_config) \ REQUIRED_FUNCTION(SSL_CTX_ctrl) \ REQUIRED_FUNCTION(SSL_CTX_free) \ REQUIRED_FUNCTION(SSL_CTX_get_ex_data) \ - FALLBACK_FUNCTION(SSL_is_init_finished) \ + REQUIRED_FUNCTION(SSL_is_init_finished) \ REQUIRED_FUNCTION(SSL_CTX_new) \ REQUIRED_FUNCTION(SSL_CTX_sess_set_new_cb) \ REQUIRED_FUNCTION(SSL_CTX_sess_set_remove_cb) \ @@ -704,10 +662,10 @@ extern bool g_libSslUses32BitTime; LIGHTUP_FUNCTION(SSL_CTX_set_ciphersuites) \ REQUIRED_FUNCTION(SSL_CTX_set_client_cert_cb) \ REQUIRED_FUNCTION(SSL_CTX_set_ex_data) \ - FALLBACK_FUNCTION(SSL_CTX_set_keylog_callback) \ + REQUIRED_FUNCTION(SSL_CTX_set_keylog_callback) \ REQUIRED_FUNCTION(SSL_CTX_set_quiet_shutdown) \ - FALLBACK_FUNCTION(SSL_CTX_set_options) \ - FALLBACK_FUNCTION(SSL_CTX_set_security_level) \ + REQUIRED_FUNCTION(SSL_CTX_set_options) \ + REQUIRED_FUNCTION(SSL_CTX_set_security_level) \ REQUIRED_FUNCTION(SSL_CTX_set_session_id_context) \ REQUIRED_FUNCTION(SSL_CTX_set_verify) \ REQUIRED_FUNCTION(SSL_CTX_use_certificate) \ @@ -729,8 +687,6 @@ extern bool g_libSslUses32BitTime; LIGHTUP_FUNCTION(SSL_get0_alpn_selected) \ RENAMED_FUNCTION(SSL_get1_peer_certificate, SSL_get_peer_certificate) \ REQUIRED_FUNCTION(SSL_get_certificate) \ - LEGACY_FUNCTION(SSL_library_init) \ - LEGACY_FUNCTION(SSL_load_error_strings) \ REQUIRED_FUNCTION(SSL_new) \ REQUIRED_FUNCTION(SSL_peek) \ REQUIRED_FUNCTION(SSL_read) \ @@ -739,9 +695,9 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(SSL_SESSION_free) \ REQUIRED_FUNCTION(SSL_SESSION_get_ex_data) \ REQUIRED_FUNCTION(SSL_SESSION_set_ex_data) \ - LIGHTUP_FUNCTION(SSL_SESSION_get0_hostname) \ - LIGHTUP_FUNCTION(SSL_SESSION_set1_hostname) \ - FALLBACK_FUNCTION(SSL_session_reused) \ + REQUIRED_FUNCTION(SSL_SESSION_get0_hostname) \ + REQUIRED_FUNCTION(SSL_SESSION_set1_hostname) \ + REQUIRED_FUNCTION(SSL_session_reused) \ REQUIRED_FUNCTION(SSL_set_accept_state) \ REQUIRED_FUNCTION(SSL_set_bio) \ REQUIRED_FUNCTION(SSL_set_cert_cb) \ @@ -749,27 +705,25 @@ extern bool g_libSslUses32BitTime; LIGHTUP_FUNCTION(SSL_set_ciphersuites) \ REQUIRED_FUNCTION(SSL_set_connect_state) \ REQUIRED_FUNCTION(SSL_set_ex_data) \ - FALLBACK_FUNCTION(SSL_set_options) \ + REQUIRED_FUNCTION(SSL_set_options) \ REQUIRED_FUNCTION(SSL_set_session) \ REQUIRED_FUNCTION(SSL_get_session) \ REQUIRED_FUNCTION(SSL_set_verify) \ REQUIRED_FUNCTION(SSL_shutdown) \ - LEGACY_FUNCTION(SSL_state) \ - LEGACY_FUNCTION(SSLeay) \ - RENAMED_FUNCTION(TLS_method, SSLv23_method) \ + REQUIRED_FUNCTION(TLS_method) \ REQUIRED_FUNCTION(SSL_write) \ REQUIRED_FUNCTION(SSL_use_certificate) \ REQUIRED_FUNCTION(SSL_use_PrivateKey) \ - LIGHTUP_FUNCTION(SSL_verify_client_post_handshake) \ - LIGHTUP_FUNCTION(SSL_set_post_handshake_auth) \ + REQUIRED_FUNCTION(SSL_verify_client_post_handshake) \ + REQUIRED_FUNCTION(SSL_set_post_handshake_auth) \ REQUIRED_FUNCTION(SSL_version) \ REQUIRED_FUNCTION(UI_create_method) \ REQUIRED_FUNCTION(UI_destroy_method) \ - FALLBACK_FUNCTION(X509_check_host) \ + REQUIRED_FUNCTION(X509_check_host) \ REQUIRED_FUNCTION(X509_check_purpose) \ REQUIRED_FUNCTION(X509_cmp_time) \ REQUIRED_FUNCTION(X509_CRL_free) \ - FALLBACK_FUNCTION(X509_CRL_get0_nextUpdate) \ + REQUIRED_FUNCTION(X509_CRL_get0_nextUpdate) \ REQUIRED_FUNCTION(X509_digest) \ REQUIRED_FUNCTION(X509_dup) \ REQUIRED_FUNCTION(X509_EXTENSION_create_by_OBJ) \ @@ -790,14 +744,14 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(X509_get_issuer_name) \ REQUIRED_FUNCTION(X509_get_serialNumber) \ REQUIRED_FUNCTION(X509_get_subject_name) \ - FALLBACK_FUNCTION(X509_get_version) \ - FALLBACK_FUNCTION(X509_get_X509_PUBKEY) \ - FALLBACK_FUNCTION(X509_get0_notBefore) \ - FALLBACK_FUNCTION(X509_get0_notAfter) \ - FALLBACK_FUNCTION(X509_set1_notBefore) \ - FALLBACK_FUNCTION(X509_set1_notAfter) \ - FALLBACK_FUNCTION(X509_get0_pubkey_bitstr) \ - FALLBACK_FUNCTION(X509_get0_tbs_sigalg) \ + REQUIRED_FUNCTION(X509_get_version) \ + REQUIRED_FUNCTION(X509_get_X509_PUBKEY) \ + REQUIRED_FUNCTION(X509_get0_notBefore) \ + REQUIRED_FUNCTION(X509_get0_notAfter) \ + REQUIRED_FUNCTION(X509_set1_notBefore) \ + REQUIRED_FUNCTION(X509_set1_notAfter) \ + REQUIRED_FUNCTION(X509_get0_pubkey_bitstr) \ + REQUIRED_FUNCTION(X509_get0_tbs_sigalg) \ REQUIRED_FUNCTION(X509_issuer_name_hash) \ REQUIRED_FUNCTION(X509_NAME_add_entry_by_txt) \ REQUIRED_FUNCTION(X509_NAME_entry_count) \ @@ -806,10 +760,10 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(X509_NAME_free) \ REQUIRED_FUNCTION(X509_NAME_get_entry) \ REQUIRED_FUNCTION(X509_NAME_get_index_by_NID) \ - FALLBACK_FUNCTION(X509_NAME_get0_der) \ + REQUIRED_FUNCTION(X509_NAME_get0_der) \ REQUIRED_FUNCTION(X509_new) \ REQUIRED_FUNCTION(X509_PUBKEY_get) \ - FALLBACK_FUNCTION(X509_PUBKEY_get0_param) \ + REQUIRED_FUNCTION(X509_PUBKEY_get0_param) \ REQUIRED_FUNCTION(X509_set_ex_data) \ REQUIRED_FUNCTION(X509_set_pubkey) \ REQUIRED_FUNCTION(X509_sign) \ @@ -821,11 +775,11 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(X509_STORE_CTX_get_current_cert) \ REQUIRED_FUNCTION(X509_STORE_CTX_get_error) \ REQUIRED_FUNCTION(X509_STORE_CTX_get_error_depth) \ - FALLBACK_FUNCTION(X509_STORE_CTX_get0_cert) \ - FALLBACK_FUNCTION(X509_STORE_CTX_get0_chain) \ + REQUIRED_FUNCTION(X509_STORE_CTX_get0_cert) \ + REQUIRED_FUNCTION(X509_STORE_CTX_get0_chain) \ REQUIRED_FUNCTION(X509_STORE_CTX_get0_param) \ - FALLBACK_FUNCTION(X509_STORE_CTX_get0_store) \ - FALLBACK_FUNCTION(X509_STORE_CTX_get0_untrusted) \ + REQUIRED_FUNCTION(X509_STORE_CTX_get0_store) \ + REQUIRED_FUNCTION(X509_STORE_CTX_get0_untrusted) \ REQUIRED_FUNCTION(X509_STORE_CTX_get1_chain) \ REQUIRED_FUNCTION(X509_STORE_CTX_get1_issuer) \ REQUIRED_FUNCTION(X509_STORE_CTX_init) \ @@ -835,11 +789,11 @@ extern bool g_libSslUses32BitTime; REQUIRED_FUNCTION(X509_STORE_CTX_set_ex_data) \ REQUIRED_FUNCTION(X509_STORE_CTX_get_ex_data) \ REQUIRED_FUNCTION(X509_STORE_free) \ - FALLBACK_FUNCTION(X509_STORE_get0_param) \ + REQUIRED_FUNCTION(X509_STORE_get0_param) \ REQUIRED_FUNCTION(X509_STORE_new) \ REQUIRED_FUNCTION(X509_STORE_set_flags) \ REQUIRED_FUNCTION(X509V3_EXT_print) \ - FALLBACK_FUNCTION(X509_up_ref) \ + REQUIRED_FUNCTION(X509_up_ref) \ REQUIRED_FUNCTION(X509_verify_cert) \ REQUIRED_FUNCTION(X509_verify_cert_error_string) \ REQUIRED_FUNCTION(X509_VERIFY_PARAM_clear_flags) \ @@ -853,17 +807,13 @@ extern bool g_libSslUses32BitTime; // Declare pointers to all the used OpenSSL functions #define REQUIRED_FUNCTION(fn) extern TYPEOF(fn)* fn##_ptr; -#define REQUIRED_FUNCTION_110(fn) extern TYPEOF(fn)* fn##_ptr; #define LIGHTUP_FUNCTION(fn) extern TYPEOF(fn)* fn##_ptr; #define FALLBACK_FUNCTION(fn) extern TYPEOF(fn)* fn##_ptr; #define RENAMED_FUNCTION(fn,oldfn) extern TYPEOF(fn)* fn##_ptr; -#define LEGACY_FUNCTION(fn) extern TYPEOF(fn)* fn##_ptr; FOR_ALL_OPENSSL_FUNCTIONS -#undef LEGACY_FUNCTION #undef RENAMED_FUNCTION #undef FALLBACK_FUNCTION #undef LIGHTUP_FUNCTION -#undef REQUIRED_FUNCTION_110 #undef REQUIRED_FUNCTION #if defined(TARGET_ARM) && defined(TARGET_LINUX) extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; @@ -918,12 +868,9 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define BN_value_one BN_value_one_ptr #define BN_CTX_free BN_CTX_free_ptr #define BN_CTX_new BN_CTX_new_ptr -#define CRYPTO_add_lock CRYPTO_add_lock_ptr #define CRYPTO_free CRYPTO_free_ptr #define CRYPTO_get_ex_new_index CRYPTO_get_ex_new_index_ptr #define CRYPTO_malloc CRYPTO_malloc_ptr -#define CRYPTO_num_locks CRYPTO_num_locks_ptr -#define CRYPTO_set_locking_callback CRYPTO_set_locking_callback_ptr #define CRYPTO_set_mem_functions CRYPTO_set_mem_functions_ptr #define d2i_OCSP_RESPONSE d2i_OCSP_RESPONSE_ptr #define d2i_PKCS12_fp d2i_PKCS12_fp_ptr @@ -1001,7 +948,6 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define ERR_clear_error ERR_clear_error_ptr #define ERR_error_string_n ERR_error_string_n_ptr #define ERR_get_error ERR_get_error_ptr -#define ERR_load_crypto_strings ERR_load_crypto_strings_ptr #define ERR_new ERR_new_ptr #define ERR_peek_error ERR_peek_error_ptr #define ERR_peek_error_line ERR_peek_error_line_ptr @@ -1031,10 +977,8 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define EVP_aes_256_gcm EVP_aes_256_gcm_ptr #define EVP_aes_256_ccm EVP_aes_256_ccm_ptr #define EVP_chacha20_poly1305 EVP_chacha20_poly1305_ptr -#define EVP_CIPHER_CTX_cleanup EVP_CIPHER_CTX_cleanup_ptr #define EVP_CIPHER_CTX_ctrl EVP_CIPHER_CTX_ctrl_ptr #define EVP_CIPHER_CTX_free EVP_CIPHER_CTX_free_ptr -#define EVP_CIPHER_CTX_init EVP_CIPHER_CTX_init_ptr #define EVP_CIPHER_CTX_new EVP_CIPHER_CTX_new_ptr #define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_reset_ptr #define EVP_CIPHER_CTX_set_key_length EVP_CIPHER_CTX_set_key_length_ptr @@ -1152,10 +1096,8 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define EVP_SIGNATURE_free EVP_SIGNATURE_free_ptr #define GENERAL_NAMES_free GENERAL_NAMES_free_ptr #define HMAC HMAC_ptr -#define HMAC_CTX_cleanup HMAC_CTX_cleanup_ptr #define HMAC_CTX_copy HMAC_CTX_copy_ptr #define HMAC_CTX_free HMAC_CTX_free_ptr -#define HMAC_CTX_init HMAC_CTX_init_ptr #define HMAC_CTX_new HMAC_CTX_new_ptr #define HMAC_Final HMAC_Final_ptr #define HMAC_Init_ex HMAC_Init_ex_ptr @@ -1190,7 +1132,6 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define OCSP_response_get1_basic OCSP_response_get1_basic_ptr #define OCSP_RESPONSE_free OCSP_RESPONSE_free_ptr #define OCSP_RESPONSE_new OCSP_RESPONSE_new_ptr -#define OPENSSL_add_all_algorithms_conf OPENSSL_add_all_algorithms_conf_ptr #define OPENSSL_cleanse OPENSSL_cleanse_ptr #define OPENSSL_gmtime OPENSSL_gmtime_ptr #define OPENSSL_init_ssl OPENSSL_init_ssl_ptr @@ -1306,8 +1247,6 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define SSL_get0_alpn_selected SSL_get0_alpn_selected_ptr #define SSL_get1_peer_certificate SSL_get1_peer_certificate_ptr #define SSL_is_init_finished SSL_is_init_finished_ptr -#define SSL_library_init SSL_library_init_ptr -#define SSL_load_error_strings SSL_load_error_strings_ptr #define SSL_new SSL_new_ptr #define SSL_peek SSL_peek_ptr #define SSL_state_string_long SSL_state_string_long_ptr @@ -1332,8 +1271,6 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define SSL_get_session SSL_get_session_ptr #define SSL_set_verify SSL_set_verify_ptr #define SSL_shutdown SSL_shutdown_ptr -#define SSL_state SSL_state_ptr -#define SSLeay SSLeay_ptr #define SSL_write SSL_write_ptr #define SSL_use_certificate SSL_use_certificate_ptr #define SSL_use_PrivateKey SSL_use_PrivateKey_ptr @@ -1463,16 +1400,6 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define sk_X509_NAME_value(stack, idx) (X509_NAME*)OPENSSL_sk_value((const OPENSSL_STACK*)(1 ? stack : (const STACK_OF(X509_NAME)*)0), idx) #define sk_X509_value(stack, idx) (X509*)OPENSSL_sk_value((const OPENSSL_STACK*)(1 ? stack : (const STACK_OF(X509)*)0), idx) -#elif OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM - -#define sk_free OPENSSL_sk_free_ptr -#define sk_new_null OPENSSL_sk_new_null_ptr -#define sk_num OPENSSL_sk_num_ptr -#define sk_pop OPENSSL_sk_pop_ptr -#define sk_pop_free OPENSSL_sk_pop_free_ptr -#define sk_push OPENSSL_sk_push_ptr -#define sk_value OPENSSL_sk_value_ptr - #endif @@ -1502,82 +1429,6 @@ extern TYPEOF(OPENSSL_gmtime)* OPENSSL_gmtime_ptr; #define ERR_put_error local_ERR_put_error -#elif OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM - -// Alias "future" API to the local_ version. -#define ASN1_TIME_to_tm local_ASN1_TIME_to_tm -#define BN_abs_is_word local_BN_abs_is_word -#define BN_is_odd local_BN_is_odd -#define BN_is_one local_BN_is_one -#define BN_is_zero local_BN_is_zero -#define BIO_up_ref local_BIO_up_ref -#define DSA_get0_key local_DSA_get0_key -#define DSA_get0_pqg local_DSA_get0_pqg -#define DSA_get_method local_DSA_get_method -#define DSA_set0_key local_DSA_set0_key -#define DSA_set0_pqg local_DSA_set0_pqg -#define EVP_CIPHER_CTX_free local_EVP_CIPHER_CTX_free -#define EVP_CIPHER_CTX_new local_EVP_CIPHER_CTX_new -#define EVP_CIPHER_CTX_reset local_EVP_CIPHER_CTX_reset -#define EVP_PKEY_check local_EVP_PKEY_check -#define EVP_PKEY_get0_RSA local_EVP_PKEY_get0_RSA -#define EVP_PKEY_public_check local_EVP_PKEY_public_check -#define EVP_PKEY_up_ref local_EVP_PKEY_up_ref -#define HMAC_CTX_free local_HMAC_CTX_free -#define HMAC_CTX_new local_HMAC_CTX_new -#define OpenSSL_version_num local_OpenSSL_version_num -#define RSA_get_multi_prime_extra_count local_RSA_get_multi_prime_extra_count -#define RSA_get0_crt_params local_RSA_get0_crt_params -#define RSA_get0_factors local_RSA_get0_factors -#define RSA_get0_key local_RSA_get0_key -#define RSA_meth_get_flags local_RSA_meth_get_flags -#define RSA_set0_crt_params local_RSA_set0_crt_params -#define RSA_set0_factors local_RSA_set0_factors -#define RSA_set0_key local_RSA_set0_key -#define RSA_pkey_ctx_ctrl local_RSA_pkey_ctx_ctrl -#define RSA_test_flags local_RSA_test_flags -#define SSL_CTX_set_security_level local_SSL_CTX_set_security_level -#define SSL_is_init_finished local_SSL_is_init_finished -#define X509_CRL_get0_nextUpdate local_X509_CRL_get0_nextUpdate -#define X509_NAME_get0_der local_X509_NAME_get0_der -#define X509_PUBKEY_get0_param local_X509_PUBKEY_get0_param -#define X509_STORE_CTX_get0_cert local_X509_STORE_CTX_get0_cert -#define X509_STORE_CTX_get0_chain local_X509_STORE_CTX_get0_chain -#define X509_STORE_CTX_get0_untrusted local_X509_STORE_CTX_get0_untrusted -#define X509_STORE_get0_param local_X509_STORE_get0_param -#define X509_get0_notAfter local_X509_get0_notAfter -#define X509_get0_notBefore local_X509_get0_notBefore -#define X509_set1_notAfter local_X509_set1_notAfter -#define X509_set1_notBefore local_X509_set1_notBefore -#define X509_get0_pubkey_bitstr local_X509_get0_pubkey_bitstr -#define X509_get0_tbs_sigalg local_X509_get0_tbs_sigalg -#define X509_get_X509_PUBKEY local_X509_get_X509_PUBKEY -#define X509_get_version local_X509_get_version -#define X509_up_ref local_X509_up_ref -#define SSL_CTX_set_keylog_callback local_SSL_CTX_set_keylog_callback - -#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_0_2_RTM - -#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 4 - -#define X509_check_host local_X509_check_host -#define X509_STORE_CTX_get0_store local_X509_STORE_CTX_get0_store - -#endif - -// Restore the old names for RENAMED_FUNCTION functions. -#define EVP_MD_CTX_free EVP_MD_CTX_destroy -#define EVP_MD_CTX_new EVP_MD_CTX_create -#define RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay -#define OPENSSL_sk_free sk_free -#define OPENSSL_sk_new_null sk_new_null -#define OPENSSL_sk_num sk_num -#define OPENSSL_sk_pop sk_pop -#define OPENSSL_sk_pop_free sk_pop_free -#define OPENSSL_sk_push sk_push -#define OPENSSL_sk_value sk_value -#define TLS_method SSLv23_method - #endif #endif // FEATURE_DISTRO_AGNOSTIC_SSL diff --git a/src/native/libs/System.Security.Cryptography.Native/osslcompat_102.h b/src/native/libs/System.Security.Cryptography.Native/osslcompat_102.h deleted file mode 100644 index 2ee440c320d338..00000000000000 --- a/src/native/libs/System.Security.Cryptography.Native/osslcompat_102.h +++ /dev/null @@ -1,34 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// - -#pragma once - -// Function prototypes unique to OpenSSL 1.0.2 - -typedef struct stack_st _STACK; - -#undef CRYPTO_num_locks -#undef CRYPTO_set_locking_callback -#undef ERR_load_crypto_strings -#undef EVP_CIPHER_CTX_cleanup -#undef EVP_CIPHER_CTX_init -#undef OPENSSL_add_all_algorithms_conf -#undef SSL_library_init -#undef SSL_load_error_strings -#undef SSL_state -#undef SSLeay - -int CRYPTO_add_lock(int* pointer, int amount, int type, const char* file, int line); -int CRYPTO_num_locks(void); -void CRYPTO_set_locking_callback(void (*func)(int mode, int type, const char* file, int line)); -void ERR_load_crypto_strings(void); -int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX* a); -int EVP_CIPHER_CTX_init(EVP_CIPHER_CTX* a); -void HMAC_CTX_cleanup(HMAC_CTX* ctx); -void HMAC_CTX_init(HMAC_CTX* ctx); -void OPENSSL_add_all_algorithms_conf(void); -int SSL_library_init(void); -void SSL_load_error_strings(void); -int SSL_state(const SSL* ssl); -unsigned long SSLeay(void); diff --git a/src/native/libs/System.Security.Cryptography.Native/osslcompat_111.h b/src/native/libs/System.Security.Cryptography.Native/osslcompat_111.h deleted file mode 100644 index 56d00cdbd9e360..00000000000000 --- a/src/native/libs/System.Security.Cryptography.Native/osslcompat_111.h +++ /dev/null @@ -1,104 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. - -// Function prototypes unique to OpenSSL 1.1.x - -#pragma once -#include "pal_types.h" - -#undef BN_abs_is_word -#undef BN_is_odd -#undef BN_is_one -#undef BN_is_zero -#undef SSL_CTX_set_options -#undef SSL_set_options -#undef SSL_session_reused - -typedef struct ossl_init_settings_st OPENSSL_INIT_SETTINGS; -typedef struct stack_st OPENSSL_STACK; - -#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0x00000002L -#define OPENSSL_INIT_ADD_ALL_CIPHERS 0x00000004L -#define OPENSSL_INIT_ADD_ALL_DIGESTS 0x00000008L -#define OPENSSL_INIT_LOAD_CONFIG 0x00000040L -#define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L - -int ASN1_TIME_to_tm(const ASN1_TIME* s, struct tm* tm); -int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w); -int BN_is_odd(const BIGNUM* a); -int BN_is_one(const BIGNUM* a); -int BN_is_zero(const BIGNUM* a); -int BIO_up_ref(BIO* a); -const BIGNUM* DSA_get0_key(const DSA* dsa, const BIGNUM** pubKey, const BIGNUM** privKey); -void DSA_get0_pqg(const DSA* dsa, const BIGNUM** p, const BIGNUM** q, const BIGNUM** g); -const DSA_METHOD* DSA_get_method(const DSA* dsa); -int32_t DSA_set0_key(DSA* dsa, BIGNUM* bnY, BIGNUM* bnX); -int32_t DSA_set0_pqg(DSA* dsa, BIGNUM* bnP, BIGNUM* bnQ, BIGNUM* bnG); -void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX* ctx); -EVP_CIPHER_CTX* EVP_CIPHER_CTX_new(void); -int32_t EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX* ctx); -void EVP_MD_CTX_free(EVP_MD_CTX* ctx); -EVP_MD_CTX* EVP_MD_CTX_new(void); -RSA* EVP_PKEY_get0_RSA(EVP_PKEY* pkey); -int EVP_PKEY_check(EVP_PKEY_CTX* ctx); -int EVP_PKEY_public_check(EVP_PKEY_CTX* ctx); -int32_t EVP_PKEY_up_ref(EVP_PKEY* pkey); -void HMAC_CTX_free(HMAC_CTX* ctx); -HMAC_CTX* HMAC_CTX_new(void); -int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS* settings); -void OPENSSL_sk_free(OPENSSL_STACK*); -OPENSSL_STACK* OPENSSL_sk_new_null(void); -int OPENSSL_sk_num(const OPENSSL_STACK*); -void* OPENSSL_sk_pop(OPENSSL_STACK* st); -void OPENSSL_sk_pop_free(OPENSSL_STACK* st, void (*func)(void*)); -int OPENSSL_sk_push(OPENSSL_STACK* st, const void* data); -void* OPENSSL_sk_value(const OPENSSL_STACK*, int); -long OpenSSL_version_num(void); -const RSA_METHOD* RSA_PKCS1_OpenSSL(void); -void RSA_get0_crt_params(const RSA* rsa, const BIGNUM** dmp1, const BIGNUM** dmq1, const BIGNUM** iqmp); -void RSA_get0_factors(const RSA* rsa, const BIGNUM** p, const BIGNUM** q); -void RSA_get0_key(const RSA* rsa, const BIGNUM** n, const BIGNUM** e, const BIGNUM** d); -int RSA_get_multi_prime_extra_count(const RSA* r); -int32_t RSA_meth_get_flags(const RSA_METHOD* meth); -int32_t RSA_pkey_ctx_ctrl(EVP_PKEY_CTX* ctx, int32_t optype, int32_t cmd, int32_t p1, void* p2); -int32_t RSA_set0_crt_params(RSA* rsa, BIGNUM* dmp1, BIGNUM* dmq1, BIGNUM* iqmp); -int32_t RSA_set0_factors(RSA* rsa, BIGNUM* p, BIGNUM* q); -int32_t RSA_set0_key(RSA* rsa, BIGNUM* n, BIGNUM* e, BIGNUM* d); -int RSA_test_flags(const RSA *r, int flags); -int SSL_CTX_config(SSL_CTX* ctx, const char* name); -unsigned long SSL_CTX_set_options(SSL_CTX* ctx, unsigned long options); -void SSL_CTX_set_security_level(SSL_CTX* ctx, int32_t level); -int32_t SSL_is_init_finished(SSL* ssl); -unsigned long SSL_set_options(SSL* ctx, unsigned long options); -void SSL_set_post_handshake_auth(SSL *s, int val); -int32_t SSL_set_post_handshake_auth(SSL *s, int val); -int SSL_session_reused(SSL* ssl); -int SSL_verify_client_post_handshake(SSL *s); -const SSL_METHOD* TLS_method(void); -const ASN1_TIME* X509_CRL_get0_nextUpdate(const X509_CRL* crl); -int32_t X509_NAME_get0_der(X509_NAME* x509Name, const uint8_t** pder, size_t* pderlen); -int32_t X509_PUBKEY_get0_param( - ASN1_OBJECT** palgOid, const uint8_t** pkeyBytes, int* pkeyBytesLen, X509_ALGOR** palg, X509_PUBKEY* pubkey); -X509* X509_STORE_CTX_get0_cert(X509_STORE_CTX* ctx); -STACK_OF(X509) * X509_STORE_CTX_get0_chain(X509_STORE_CTX* ctx); -STACK_OF(X509) * X509_STORE_CTX_get0_untrusted(X509_STORE_CTX* ctx); -X509_VERIFY_PARAM* X509_STORE_get0_param(X509_STORE* ctx); -const ASN1_TIME* X509_get0_notAfter(const X509* x509); -const ASN1_TIME* X509_get0_notBefore(const X509* x509); -ASN1_BIT_STRING* X509_get0_pubkey_bitstr(const X509* x509); -const X509_ALGOR* X509_get0_tbs_sigalg(const X509* x509); -X509_PUBKEY* X509_get_X509_PUBKEY(const X509* x509); -int32_t X509_get_version(const X509* x509); -int X509_set1_notAfter(X509* x509, const ASN1_TIME*); -int X509_set1_notBefore(X509* x509, const ASN1_TIME*); -int32_t X509_up_ref(X509* x509); -const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s); -int SSL_SESSION_set1_hostname(SSL_SESSION *s, const char *hostname); -void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb); - -#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_0_2_RTM -int32_t X509_check_host(X509* x509, const char* name, size_t namelen, unsigned int flags, char** peername); -X509_STORE* X509_STORE_CTX_get0_store(X509_STORE_CTX* ctx); -#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 4 - -#endif diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_evp_cipher.h b/src/native/libs/System.Security.Cryptography.Native/pal_evp_cipher.h index 0899cea9dbe3af..c1d1a665684307 100644 --- a/src/native/libs/System.Security.Cryptography.Native/pal_evp_cipher.h +++ b/src/native/libs/System.Security.Cryptography.Native/pal_evp_cipher.h @@ -19,9 +19,7 @@ PALEXPORT int32_t CryptoNative_EvpCipherSetCcmNonceLength(EVP_CIPHER_CTX* ctx, i /* Cleans up and deletes an EVP_CIPHER_CTX instance created by EvpCipherCreate. -Implemented by: - 1) Calling EVP_CIPHER_CTX_cleanup - 2) Deleting the EVP_CIPHER_CTX instance. +Implemented by calling EVP_CIPHER_CTX_free No-op if ctx is null. The given EVP_CIPHER_CTX pointer is invalid after this call. diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_hmac.h b/src/native/libs/System.Security.Cryptography.Native/pal_hmac.h index ee2476d3405743..eb8f9f08a598be 100644 --- a/src/native/libs/System.Security.Cryptography.Native/pal_hmac.h +++ b/src/native/libs/System.Security.Cryptography.Native/pal_hmac.h @@ -18,8 +18,7 @@ typedef struct hmac_ctx_st HMAC_CTX; * * Implemented by: * 1) allocating a new HMAC_CTX - * 2) calling HMAC_CTX_Init on the new HMAC_CTX - * 3) calling HMAC_Init_ex with the new HMAC_CTX and the given args. + * 2) calling HMAC_Init_ex with the new HMAC_CTX and the given args. * * Returns new HMAC_CTX on success, nullptr on failure. */ @@ -28,9 +27,7 @@ PALEXPORT HMAC_CTX* CryptoNative_HmacCreate(const uint8_t* key, int32_t keyLen, /** * Cleans up and deletes an HMAC_CTX instance created by HmacCreate. * - * Implemented by: - * 1) Calling HMAC_CTX_Cleanup - * 2) Deleting the HMAC_CTX instance. + * Implemented by calling HMAC_CTX_free * * No-op if ctx is null. * The given HMAC_CTX pointer is invalid after this call. diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c index 49d4e5aead38ec..4f935e691ef4c2 100644 --- a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c +++ b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c @@ -33,14 +33,6 @@ c_static_assert(TLSEXT_STATUSTYPE_ocsp == 1); int32_t CryptoNative_EnsureOpenSslInitialized(void); -#ifdef NEED_OPENSSL_1_0 -static void EnsureLibSsl10Initialized(void) -{ - SSL_library_init(); - SSL_load_error_strings(); -} -#endif - #ifdef FEATURE_DISTRO_AGNOSTIC_SSL // redirect all SSL_CTX_set_options and SSL_set_options calls via dynamic shims // to work around ABI breaking change between 1.1 and 3.0 @@ -93,26 +85,6 @@ static char* g_emptyAlpn = ""; static void DetectCiphersuiteConfiguration(void) { -#ifdef FEATURE_DISTRO_AGNOSTIC_SSL - - if (API_EXISTS(SSL_state)) - { - // For portable builds NEED_OPENSSL_1_1 is always set. - // OpenSSL 1.0 does not support CipherSuites so there is no way for caller to override default - g_config_specified_ciphersuites = 1; - return; - } - -#endif - - // This routine will always produce g_config_specified_ciphersuites = 1 on OpenSSL 1.0.x, - // so if we're building direct for 1.0.x (the only time NEED_OPENSSL_1_1 is undefined) then - // just omit all the code here. - // - // The method uses OpenSSL 1.0.x API, except for the fallback function SSL_CTX_config, to - // make the portable version easier. -#if defined NEED_OPENSSL_1_1 || defined NEED_OPENSSL_3_0 - // Check to see if there's a registered default CipherString. If not, we will use our own. SSL_CTX* ctx = SSL_CTX_new(TLS_method()); assert(ctx != NULL); @@ -164,31 +136,11 @@ static void DetectCiphersuiteConfiguration(void) } SSL_CTX_free(ctx); - -#else - - // OpenSSL 1.0 does not support CipherSuites so there is no way for caller to override default - g_config_specified_ciphersuites = 1; - -#endif } void CryptoNative_EnsureLibSslInitialized(void) { CryptoNative_EnsureOpenSslInitialized(); - - // If portable, call the 1.0 initializer when needed. - // If 1.0, call it statically. - // In 1.1 no action is required, since EnsureOpenSslInitialized does both libraries. -#ifdef FEATURE_DISTRO_AGNOSTIC_SSL - if (API_EXISTS(SSL_state)) - { - EnsureLibSsl10Initialized(); - } -#elif OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM - EnsureLibSsl10Initialized(); -#endif - DetectCiphersuiteConfiguration(); } @@ -242,57 +194,10 @@ SSL_CTX* CryptoNative_SslCtxCreate(const SSL_METHOD* method) return ctx; } -/* -Openssl supports setting ecdh curves by default from version 1.1.0. -For lower versions, this is the recommended approach. -Returns 1 on success, 0 on failure. -*/ -static long TrySetECDHNamedCurve(SSL_CTX* ctx) -{ -#ifdef NEED_OPENSSL_1_0 - int64_t version = CryptoNative_OpenSslVersionNumber(); - long result = 0; - - if (version >= OPENSSL_VERSION_1_1_0_RTM) - { - // OpenSSL 1.1+ automatically set up ECDH - result = 1; - } - else if (version >= OPENSSL_VERSION_1_0_2_RTM) - { -#ifndef SSL_CTRL_SET_ECDH_AUTO -#define SSL_CTRL_SET_ECDH_AUTO 94 -#endif - // Expanded form of SSL_CTX_set_ecdh_auto(ctx, 1) - result = SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL); - } - else - { - EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - - if (ecdh != NULL) - { - result = SSL_CTX_set_tmp_ecdh(ctx, ecdh); - EC_KEY_free(ecdh); - } - } - - return result; -#else - (void)ctx; - return 1; -#endif -} - static void ResetCtxProtocolRestrictions(SSL_CTX* ctx) { -#ifndef SSL_CTRL_SET_MIN_PROTO_VERSION -#define SSL_CTRL_SET_MIN_PROTO_VERSION 123 -#endif -#ifndef SSL_CTRL_SET_MAX_PROTO_VERSION -#define SSL_CTRL_SET_MAX_PROTO_VERSION 124 -#endif - + c_static_assert(SSL_CTRL_SET_MIN_PROTO_VERSION == 123); + c_static_assert(SSL_CTRL_SET_MAX_PROTO_VERSION == 124); SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, 0, NULL); SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, 0, NULL); } @@ -301,12 +206,6 @@ void CryptoNative_SslCtxSetProtocolOptions(SSL_CTX* ctx, SslProtocols protocols) { // void shim functions don't lead to exceptions, so skip the unconditional error clearing. - // Ensure that ECDHE is available - if (TrySetECDHNamedCurve(ctx) == 0) - { - ERR_clear_error(); - } - // protocols may be 0, meaning system default, in which case let OpenSSL do what OpenSSL wants. if (protocols == 0) { @@ -494,17 +393,9 @@ int32_t CryptoNative_SslRenegotiate(SSL* ssl, int32_t* error) #endif if (SSL_version(ssl) == TLS1_3_VERSION) { - // this is just a sanity check, if TLS 1.3 was negotiated, then the function must be available - if (API_EXISTS(SSL_verify_client_post_handshake)) - { - // Post-handshake auth reqires SSL_VERIFY_PEER to be set - CryptoNative_SslSetVerifyPeer(ssl); - return SSL_verify_client_post_handshake(ssl); - } - else - { - return 0; - } + // Post-handshake auth reqires SSL_VERIFY_PEER to be set + CryptoNative_SslSetVerifyPeer(ssl); + return SSL_verify_client_post_handshake(ssl); } #endif @@ -663,18 +554,6 @@ void CryptoNative_SslSetVerifyPeer(SSL* ssl) int CryptoNative_SslCtxSetCaching(SSL_CTX* ctx, int mode, int cacheSize, int contextIdLength, uint8_t* contextId, SslCtxNewSessionCallback newSessionCb, SslCtxRemoveSessionCallback removeSessionCb) { int retValue = 1; - if (mode && !API_EXISTS(SSL_SESSION_get0_hostname)) - { - // Disable caching on old OpenSSL. - // While TLS resume is optional, none of this is critical. - mode = 0; - - if (newSessionCb != NULL || removeSessionCb != NULL) - { - // Indicate unwillingness to restore sessions - retValue = 0; - } - } // void shim functions don't lead to exceptions, so skip the unconditional error clearing. // We never reuse same CTX for both client and server @@ -733,28 +612,12 @@ void CryptoNative_SslSessionFree(SSL_SESSION* session) const char* CryptoNative_SslSessionGetHostname(SSL_SESSION* session) { -#if defined NEED_OPENSSL_1_1 || defined NEED_OPENSSL_3_0 - if (API_EXISTS(SSL_SESSION_get0_hostname)) - { - return SSL_SESSION_get0_hostname(session); - } -#else - (void*)session; -#endif - return NULL; + return SSL_SESSION_get0_hostname(session); } int CryptoNative_SslSessionSetHostname(SSL_SESSION* session, const char* hostname) { -#if defined NEED_OPENSSL_1_1 || defined NEED_OPENSSL_3_0 - if (API_EXISTS(SSL_SESSION_set1_hostname)) - { - SSL_SESSION_set1_hostname(session, hostname); - } -#else - (void*)session; - (const void*)hostname; -#endif + SSL_SESSION_set1_hostname(session, hostname); return 0; } @@ -1039,15 +902,7 @@ void CryptoNative_SslCtxSetKeylogCallback(SSL_CTX* ctx, SslCtxSetKeylogCallback void CryptoNative_SslSetPostHandshakeAuth(SSL* ssl, int32_t val) { -#if defined NEED_OPENSSL_1_1 || defined NEED_OPENSSL_3_0 - if (API_EXISTS(SSL_set_post_handshake_auth)) - { - SSL_set_post_handshake_auth(ssl, val); - } -#else - (void)ssl; - (void)val; -#endif + SSL_set_post_handshake_auth(ssl, val); } int32_t CryptoNative_SslSetData(SSL* ssl, void* ptr) @@ -1238,7 +1093,7 @@ int32_t CryptoNative_GetDefaultSignatureAlgorithms(uint16_t* buffer, int32_t* co // send/receive the client hello ret = SSL_do_handshake(client); ret = SSL_do_handshake(server); - + int c = SSL_get_sigalgs(server, 0, NULL, NULL, NULL, NULL, NULL); if (c > 0) { @@ -1251,12 +1106,12 @@ int32_t CryptoNative_GetDefaultSignatureAlgorithms(uint16_t* buffer, int32_t* co break; } - unsigned char sig, hash; + unsigned char sig, hash; SSL_get_sigalgs(server, i, NULL, NULL, NULL, &sig, &hash); buffer[i] = (uint16_t)(hash << 8 | sig); } - *count = c; + *count = c; ret = 0; } }