Fix safestack issues in ssl.h

We fix 3 problems with safestack: - Including an openssl header file without linking against libcrypto can cause compilation failures (even if the app does not otherwise need to link against libcrypto). See issue #8102 - Recent changes means that applications in no-deprecated builds will need to include additional macro calls in the source code for all stacks that they need to use - which is an API break. This changes avoids that necessity. - It is not possible to write code using stacks that works in both a no-deprecated and a normal build of OpenSSL. See issue #12707. Fixes #12707 Contains a partial fix for #8102. A similar PR will be needed for hash to fully fix. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-02 16:15:06 +01:00 · 2020-09-02 16:15:06 +01:00 · 6ac1cd10ba
parent 08073700cc
commit 6ac1cd10ba
24 changed files with 108 additions and 38 deletions
--- a/.gitignore
+++ b/.gitignore
@ -25,6 +25,7 @@
 /include/openssl/configuration.h
 /include/openssl/opensslv.h
 /include/openssl/fipskey.h
+/include/openssl/ssl.h

 # Auto generated doc files
 doc/man1/openssl-*.pod
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@ -15,8 +15,6 @@
 #include <openssl/err.h>
 #include <openssl/ssl.h>

-DEFINE_STACK_OF_CONST(SSL_CIPHER)
-
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_STDNAME,
--- a/apps/s_server.c
+++ b/apps/s_server.c
@ -63,7 +63,6 @@ typedef unsigned int u_int;
 DEFINE_STACK_OF(X509_EXTENSION)
 DEFINE_STACK_OF(X509_CRL)
 DEFINE_STACK_OF(X509)
-DEFINE_STACK_OF(SSL_CIPHER)
 DEFINE_STACK_OF_STRING()

 static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
--- a/build.info
+++ b/build.info
@ -15,12 +15,14 @@ DEPEND[libssl]=libcrypto
 # unconditionally before anything else.
 DEPEND[]=include/openssl/configuration.h include/openssl/opensslv.h \
         include/openssl/fipskey.h \
+         include/openssl/ssl.h \
         include/crypto/bn_conf.h include/crypto/dso_conf.h \
         doc/man7/openssl_user_macros.pod

 GENERATE[include/openssl/configuration.h]=include/openssl/configuration.h.in
 GENERATE[include/openssl/opensslv.h]=include/openssl/opensslv.h.in
 GENERATE[include/openssl/fipskey.h]=include/openssl/fipskey.h.in
+GENERATE[include/openssl/ssl.h]=include/openssl/ssl.h.in
 GENERATE[include/crypto/bn_conf.h]=include/crypto/bn_conf.h.in
 GENERATE[include/crypto/dso_conf.h]=include/crypto/dso_conf.h.in
 GENERATE[doc/man7/openssl_user_macros.pod]=doc/man7/openssl_user_macros.pod.in
--- a/fuzz/client.c
+++ b/fuzz/client.c
@ -20,8 +20,6 @@

 #include "rand.inc"

-DEFINE_STACK_OF(SSL_COMP)
-
 /* unused, to avoid warning. */
 static int idx;

--- a/fuzz/server.c
+++ b/fuzz/server.c
@ -24,8 +24,6 @@

 #include "rand.inc"

-DEFINE_STACK_OF(SSL_COMP)
-
 static const uint8_t kCertificateDER[] = {
    0x30, 0x82, 0x02, 0xff, 0x30, 0x82, 0x01, 0xe7, 0xa0, 0x03, 0x02, 0x01,
    0x02, 0x02, 0x11, 0x00, 0xb1, 0x84, 0xee, 0x34, 0x99, 0x98, 0x76, 0xfb,
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@ -1,4 +1,6 @@
 /*
+ * {- join("\n * ", @autowarntext) -}
+ *
 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
 * Copyright 2005 Nokia. All rights reserved.
@ -9,6 +11,10 @@
 * https://www.openssl.org/source/license.html
 */

+{-
+use OpenSSL::stackhash qw(generate_stack_macros generate_const_stack_macros);
+-}
+
 #ifndef OPENSSL_SSL_H
 # define OPENSSL_SSL_H
 # pragma once
@ -240,7 +246,9 @@ typedef struct srtp_protection_profile_st {
    const char *name;
    unsigned long id;
 } SRTP_PROTECTION_PROFILE;
-DEFINE_OR_DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
+{-
+    generate_stack_macros("SRTP_PROTECTION_PROFILE");
+-}


 typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data,
@ -980,8 +988,10 @@ extern "C" {
 * These need to be after the above set of includes due to a compiler bug
 * in VisualStudio 2015
 */
-DEFINE_OR_DECLARE_STACK_OF(SSL_CIPHER)
-DEFINE_OR_DECLARE_STACK_OF(SSL_COMP)
+{-
+    generate_const_stack_macros("SSL_CIPHER")
+    .generate_stack_macros("SSL_COMP");
+-}

 /* compatibility */
 # define SSL_set_app_data(s,arg)         (SSL_set_ex_data(s,0,(char *)(arg)))
--- a/ssl/d1_srtp.c
+++ b/ssl/d1_srtp.c
@ -19,8 +19,6 @@

 #ifndef OPENSSL_NO_SRTP

-DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
-
 static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = {
    {
     "SRTP_AES128_CM_SHA1_80",
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -22,7 +22,6 @@

 DEFINE_STACK_OF(X509_NAME)
 DEFINE_STACK_OF(X509)
-DEFINE_STACK_OF_CONST(SSL_CIPHER)

 #define TLS13_NUM_CIPHERS       OSSL_NELEM(tls13_ciphers)
 #define SSL3_NUM_CIPHERS        OSSL_NELEM(ssl3_ciphers)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@ -25,9 +25,6 @@
 #include "internal/thread_once.h"
 #include "internal/cryptlib.h"

-DEFINE_STACK_OF(SSL_COMP)
-DEFINE_STACK_OF_CONST(SSL_CIPHER)
-
 /* NB: make sure indices in these tables match values above */

 typedef struct {
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -30,10 +30,8 @@

 DEFINE_STACK_OF(X509)
 DEFINE_STACK_OF(X509_NAME)
-DEFINE_STACK_OF_CONST(SSL_CIPHER)
 DEFINE_STACK_OF(X509_EXTENSION)
 DEFINE_STACK_OF(OCSP_RESPID)
-DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
 DEFINE_STACK_OF(SCT)

 static int ssl_undefined_function_1(SSL *ssl, SSL3_RECORD *r, size_t s, int t,
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@ -12,8 +12,6 @@
 #include "internal/cryptlib.h"
 #include "statem_local.h"

-DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
-DEFINE_STACK_OF_CONST(SSL_CIPHER)
 DEFINE_STACK_OF(OCSP_RESPID)

 EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@ -12,7 +12,6 @@
 #include "statem_local.h"
 #include "internal/cryptlib.h"

-DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
 DEFINE_STACK_OF(OCSP_RESPID)
 DEFINE_STACK_OF(X509_EXTENSION)

--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@ -29,8 +29,6 @@
 #include <internal/cryptlib.h>

 DEFINE_STACK_OF(X509)
-DEFINE_STACK_OF(SSL_COMP)
-DEFINE_STACK_OF_CONST(SSL_CIPHER)

 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@ -23,7 +23,6 @@

 DEFINE_STACK_OF(X509)
 DEFINE_STACK_OF(X509_NAME)
-DEFINE_STACK_OF_CONST(SSL_CIPHER)

 /*
 * Map error codes to TLS/SSL alart types.
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@ -27,8 +27,6 @@
 #include <openssl/asn1t.h>

 DEFINE_STACK_OF(X509)
-DEFINE_STACK_OF(SSL_COMP)
-DEFINE_STACK_OF_CONST(SSL_CIPHER)

 #define TICKET_NONCE_SIZE       8

--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@ -28,7 +28,6 @@
 #include "ssl_local.h"
 #include <openssl/ct.h>

-DEFINE_STACK_OF_CONST(SSL_CIPHER)
 DEFINE_STACK_OF(X509)
 DEFINE_STACK_OF(X509_NAME)

--- a/test/cipherbytes_test.c
+++ b/test/cipherbytes_test.c
@ -21,8 +21,6 @@
 #include "internal/nelem.h"
 #include "testutil.h"

-DEFINE_STACK_OF(SSL_CIPHER)
-
 static SSL_CTX *ctx;
 static SSL *s;

--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@ -21,8 +21,6 @@
 #include "internal/nelem.h"
 #include "testutil.h"

-DEFINE_STACK_OF_CONST(SSL_CIPHER)
-
 typedef struct cipherlist_test_fixture {
    const char *test_case_name;
    SSL_CTX *server;
--- a/test/ciphername_test.c
+++ b/test/ciphername_test.c
@ -22,8 +22,6 @@
 #include "internal/nelem.h"
 #include "testutil.h"

-DEFINE_STACK_OF(SSL_CIPHER)
-
 typedef struct cipher_id_name {
    int id;
    const char *name;
--- a/test/dtls_mtu_test.c
+++ b/test/dtls_mtu_test.c
@ -20,8 +20,6 @@
 /* for SSL_READ_ETM() */
 #include "../ssl/ssl_local.h"

-DEFINE_STACK_OF(SSL_CIPHER)
-
 static int debug = 0;

 static unsigned int clnt_psk_callback(SSL *ssl, const char *hint,
--- a/test/sslcorrupttest.c
+++ b/test/sslcorrupttest.c
@ -11,8 +11,6 @@
 #include "ssltestlib.h"
 #include "testutil.h"

-DEFINE_STACK_OF(SSL_CIPHER)
-
 static int docorrupt = 0;

 static void copy_flags(BIO *bio)
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@ -81,7 +81,6 @@
 # include <unistd.h>
 #endif

-DEFINE_STACK_OF(SSL_COMP)
 DEFINE_STACK_OF_STRING()

 static SSL_CTX *s_ctx = NULL;
--- a/util/perl/OpenSSL/stackhash.pm
+++ b/util/perl/OpenSSL/stackhash.pm
@ -0,0 +1,92 @@
+#! /usr/bin/env perl
+# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+package OpenSSL::stackhash;
+
+use strict;
+use warnings;
+
+require Exporter;
+our @ISA = qw(Exporter);
+our @EXPORT_OK = qw(generate_stack_macros generate_const_stack_macros);
+
+sub generate_stack_macros_int {
+    my $nametype = shift;
+    my $realtype = shift;
+    my $plaintype = shift;
+
+    my $macros = <<END_MACROS;
+STACK_OF(${nametype});
+typedef int (*sk_${nametype}_compfunc)(const ${plaintype} * const *a, const ${plaintype} *const *b);
+typedef void (*sk_${nametype}_freefunc)(${plaintype} *a);
+typedef ${plaintype} * (*sk_${nametype}_copyfunc)(const ${plaintype} *a);
+static ossl_unused ossl_inline ${realtype} *ossl_check_${nametype}_type(${realtype} *ptr)
+{
+    return ptr;
+}
+static ossl_unused ossl_inline const OPENSSL_STACK *ossl_check_const_${nametype}_sk_type(const STACK_OF(${nametype}) *sk)
+{
+    return (const OPENSSL_STACK *)sk;
+}
+static ossl_unused ossl_inline OPENSSL_STACK *ossl_check_${nametype}_sk_type(STACK_OF(${nametype}) *sk)
+{
+    return (OPENSSL_STACK *)sk;
+}
+static ossl_unused ossl_inline OPENSSL_sk_compfunc ossl_check_${nametype}_compfunc_type(sk_${nametype}_compfunc cmp)
+{
+    return (OPENSSL_sk_compfunc)cmp;
+}
+static ossl_unused ossl_inline OPENSSL_sk_copyfunc ossl_check_${nametype}_copyfunc_type(sk_${nametype}_copyfunc cpy)
+{
+    return (OPENSSL_sk_copyfunc)cpy;
+}
+static ossl_unused ossl_inline OPENSSL_sk_freefunc ossl_check_${nametype}_freefunc_type(sk_${nametype}_freefunc fr)
+{
+    return (OPENSSL_sk_freefunc)fr;
+}
+#define sk_${nametype}_num(sk) OPENSSL_sk_num(ossl_check_const_${nametype}_sk_type(sk))
+#define sk_${nametype}_value(sk, idx) ((${realtype} *)OPENSSL_sk_value(ossl_check_const_${nametype}_sk_type(sk), (idx)))
+#define sk_${nametype}_new(cmp) ((STACK_OF(${nametype}) *)OPENSSL_sk_new(ossl_check_${nametype}_compfunc_type(cmp)))
+#define sk_${nametype}_new_null() ((STACK_OF(${nametype}) *)OPENSSL_sk_new_null())
+#define sk_${nametype}_new_reserve(cmp, n) ((STACK_OF(${nametype}) *)OPENSSL_sk_new_reserve(ossl_check_${nametype}_compfunc_type(cmp), (n)))
+#define sk_${nametype}_reserve(sk, n) OPENSSL_sk_reserve(ossl_check_${nametype}_sk_type(sk), (n))
+#define sk_${nametype}_free(sk) OPENSSL_sk_free(ossl_check_${nametype}_sk_type(sk))
+#define sk_${nametype}_zero(sk) OPENSSL_sk_zero(ossl_check_${nametype}_sk_type(sk))
+#define sk_${nametype}_delete(sk, i) ((${realtype} *)OPENSSL_sk_delete(ossl_check_${nametype}_sk_type(sk), (i)))
+#define sk_${nametype}_delete_ptr(sk, ptr) ((${realtype} *)OPENSSL_sk_delete_ptr(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr)))
+#define sk_${nametype}_push(sk, ptr) OPENSSL_sk_push(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr))
+#define sk_${nametype}_unshift(sk, ptr) OPENSSL_sk_unshift(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr))
+#define sk_${nametype}_pop(sk) ((${realtype} *)OPENSSL_sk_pop(ossl_check_${nametype}_sk_type(sk)))
+#define sk_${nametype}_shift(sk) ((${realtype} *)OPENSSL_sk_shift(ossl_check_${nametype}_sk_type(sk)))
+#define sk_${nametype}_pop_free(sk, freefunc) OPENSSL_sk_pop_free(ossl_check_${nametype}_sk_type(sk),ossl_check_${nametype}_freefunc_type(freefunc))
+#define sk_${nametype}_insert(sk, ptr, idx) OPENSSL_sk_insert(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr), (idx))
+#define sk_${nametype}_set(sk, idx, ptr) ((${realtype} *)OPENSSL_sk_set(ossl_check_${nametype}_sk_type(sk), (idx), ossl_check_${nametype}_type(ptr)))
+#define sk_${nametype}_find(sk, ptr) OPENSSL_sk_find(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr))
+#define sk_${nametype}_find_ex(sk, ptr) OPENSSL_sk_find_ex(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_type(ptr))
+#define sk_${nametype}_sort(sk) OPENSSL_sk_sort(ossl_check_${nametype}_sk_type(sk))
+#define sk_${nametype}_is_sorted(sk) OPENSSL_sk_is_sorted(ossl_check_const_${nametype}_sk_type(sk))
+#define sk_${nametype}_dup(sk) ((STACK_OF(${nametype}) *)OPENSSL_sk_dup(ossl_check_const_${nametype}_sk_type(sk)))
+#define sk_${nametype}_deep_copy(sk, copyfunc, freefunc) ((STACK_OF(${nametype}) *)OPENSSL_sk_deep_copy(ossl_check_const_${nametype}_sk_type(sk), ossl_check_${nametype}_copyfunc_type(copyfunc), ossl_check_${nametype}_freefunc_type(freefunc)))
+#define sk_${nametype}_set_cmp_func(sk, cmp) ((sk_${nametype}_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_${nametype}_sk_type(sk), ossl_check_${nametype}_compfunc_type(cmp)))
+END_MACROS
+
+    return $macros;
+}
+
+sub generate_stack_macros {
+    my $type = shift;
+
+    return generate_stack_macros_int($type, $type, $type);
+}
+
+sub generate_const_stack_macros {
+    my $type = shift;
+
+    return generate_stack_macros_int($type, "const $type", $type);
+}
+1;