2 * Copyright 2017 Facebook, Inc.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 #include <folly/portability/OpenSSL.h>
17 #include <folly/ssl/detail/OpenSSLThreading.h>
22 namespace portability {
25 #if OPENSSL_IS_BORINGSSL
26 int SSL_CTX_set1_sigalgs_list(SSL_CTX*, const char*) {
27 return 1; // 0 implies error
30 int TLS1_get_client_version(SSL* s) {
31 // Note that this isn't the client version, and the API to
32 // get this has been hidden. It may be found by parsing the
33 // ClientHello (there is a callback via the SSL_HANDSHAKE struct)
38 #if FOLLY_OPENSSL_IS_100
39 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER* c) {
43 int TLS1_get_client_version(const SSL* s) {
44 return (s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0;
48 #if FOLLY_OPENSSL_IS_100 || FOLLY_OPENSSL_IS_101
49 int X509_get_signature_nid(X509* cert) {
50 return OBJ_obj2nid(cert->sig_alg->algorithm);
54 #if FOLLY_OPENSSL_IS_100 || FOLLY_OPENSSL_IS_101 || FOLLY_OPENSSL_IS_102
55 int SSL_CTX_up_ref(SSL_CTX* ctx) {
56 return CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
59 int SSL_SESSION_up_ref(SSL_SESSION* session) {
60 return CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION);
63 int X509_up_ref(X509* x) {
64 return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
67 int EVP_PKEY_up_ref(EVP_PKEY* evp) {
68 return CRYPTO_add(&evp->references, 1, CRYPTO_LOCK_EVP_PKEY);
87 RSA* EVP_PKEY_get0_RSA(EVP_PKEY* pkey) {
88 if (pkey->type != EVP_PKEY_RSA) {
91 return pkey->pkey.rsa;
94 DSA* EVP_PKEY_get0_DSA(EVP_PKEY* pkey) {
95 if (pkey->type != EVP_PKEY_DSA) {
98 return pkey->pkey.dsa;
101 DH* EVP_PKEY_get0_DH(EVP_PKEY* pkey) {
102 if (pkey->type != EVP_PKEY_DH) {
105 return pkey->pkey.dh;
108 EC_KEY* EVP_PKEY_get0_EC_KEY(EVP_PKEY* pkey) {
109 if (pkey->type != EVP_PKEY_EC) {
112 return pkey->pkey.ec;
116 #if !FOLLY_OPENSSL_IS_110
117 void BIO_meth_free(BIO_METHOD* biom) {
118 OPENSSL_free((void*)biom);
121 int BIO_meth_set_read(BIO_METHOD* biom, int (*read)(BIO*, char*, int)) {
126 int BIO_meth_set_write(BIO_METHOD* biom, int (*write)(BIO*, const char*, int)) {
127 biom->bwrite = write;
131 const char* SSL_SESSION_get0_hostname(const SSL_SESSION* s) {
132 return s->tlsext_hostname;
135 unsigned char* ASN1_STRING_get0_data(const ASN1_STRING* x) {
136 return ASN1_STRING_data((ASN1_STRING*)x);
139 int SSL_SESSION_has_ticket(const SSL_SESSION* s) {
140 return (s->tlsext_ticklen > 0) ? 1 : 0;
143 unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION* s) {
144 return s->tlsext_tick_lifetime_hint;
147 // This is taken from OpenSSL 1.1.0
148 int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g) {
149 /* If the fields p and g in d are nullptr, the corresponding input
150 * parameters MUST not be nullptr. q may remain nullptr.
152 if (dh == nullptr || (dh->p == nullptr && p == nullptr) ||
153 (dh->g == nullptr && g == nullptr)) {
170 // In OpenSSL 1.1.0, DH_set0_pqg also sets
171 // dh->length = BN_num_bits(q)
172 // With OpenSSL 1.0.2, the output of openssl dhparam -C 2048 doesn't set
173 // the length field. So as far as the compat lib is concerned, this wrapper
174 // mimics the functionality of OpenSSL 1.0.2
175 // Note: BoringSSL doesn't even have a length field anymore, just something
176 // called 'priv_length'. Let's not mess with that for now.
186 // Based off of https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
200 const BIGNUM** pub_key,
201 const BIGNUM** priv_key) {
202 // Based off of https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
203 if (pub_key != nullptr) {
204 *pub_key = dh->pub_key;
206 if (priv_key != nullptr) {
207 *priv_key = dh->priv_key;
216 // Based off of https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
230 const BIGNUM** pub_key,
231 const BIGNUM** priv_key) {
232 // Based off of https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
233 if (pub_key != nullptr) {
234 *pub_key = dsa->pub_key;
236 if (priv_key != nullptr) {
237 *priv_key = dsa->priv_key;
241 X509* X509_STORE_CTX_get0_cert(X509_STORE_CTX* ctx) {
245 STACK_OF(X509) * X509_STORE_CTX_get0_chain(X509_STORE_CTX* ctx) {
246 return X509_STORE_CTX_get_chain(ctx);
249 STACK_OF(X509) * X509_STORE_CTX_get0_untrusted(X509_STORE_CTX* ctx) {
250 return ctx->untrusted;
253 EVP_MD_CTX* EVP_MD_CTX_new() {
254 EVP_MD_CTX* ctx = (EVP_MD_CTX*)OPENSSL_malloc(sizeof(EVP_MD_CTX));
256 throw std::runtime_error("Cannot allocate EVP_MD_CTX");
258 EVP_MD_CTX_init(ctx);
262 void EVP_MD_CTX_free(EVP_MD_CTX* ctx) {
264 EVP_MD_CTX_cleanup(ctx);
269 HMAC_CTX* HMAC_CTX_new() {
270 HMAC_CTX* ctx = (HMAC_CTX*)OPENSSL_malloc(sizeof(HMAC_CTX));
272 throw std::runtime_error("Cannot allocate HMAC_CTX");
278 void HMAC_CTX_free(HMAC_CTX* ctx) {
280 HMAC_CTX_cleanup(ctx);
285 bool RSA_set0_key(RSA* r, BIGNUM* n, BIGNUM* e, BIGNUM* d) {
286 // Based off of https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
288 * If the fields n and e in r are nullptr, the corresponding input parameters
289 * MUST be non-nullptr for n and e. d may be left NULL (in case only the
290 * public key is used).
292 if ((r->n == nullptr && n == nullptr) || (r->e == nullptr && e == nullptr)) {
310 void RSA_get0_factors(const RSA* r, const BIGNUM** p, const BIGNUM** q) {
311 // Based off of https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
320 void RSA_get0_crt_params(
324 const BIGNUM** iqmp) {
325 // Based off of https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
326 if (dmp1 != nullptr) {
329 if (dmq1 != nullptr) {
332 if (iqmp != nullptr) {
337 int ECDSA_SIG_set0(ECDSA_SIG* sig, BIGNUM* r, BIGNUM* s) {
338 // Based off of https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
339 if (r == nullptr || s == nullptr) {
342 BN_clear_free(sig->r);
343 BN_clear_free(sig->s);
350 const ECDSA_SIG* sig,
353 // Based off of https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
363 * Compatibility shim for OpenSSL < 1.1.0.
365 * For now, options and settings are ignored. We implement the most common
366 * behavior, which is to add all digests, ciphers, and strings.
368 int OPENSSL_init_ssl(uint64_t, const OPENSSL_INIT_SETTINGS*) {
369 // OpenSSL >= 1.1.0 handles initializing the library, adding digests &
370 // ciphers, loading strings. Additionally, OpenSSL >= 1.1.0 uses platform
371 // native threading & mutexes, which means that we should handle setting up
372 // the necessary threading initialization in the compat layer as well.
374 OpenSSL_add_all_ciphers();
375 OpenSSL_add_all_digests();
376 OpenSSL_add_all_algorithms();
378 SSL_load_error_strings();
379 ERR_load_crypto_strings();
381 // The caller should have used SSLContext::setLockTypes() prior to calling
383 folly::ssl::detail::installThreadingLocks();
387 void OPENSSL_cleanup() {
388 folly::ssl::detail::cleanupThreadingLocks();
389 CRYPTO_cleanup_all_ex_data();
395 const ASN1_INTEGER* X509_REVOKED_get0_serialNumber(const X509_REVOKED* r) {
396 return r->serialNumber;
399 const ASN1_TIME* X509_REVOKED_get0_revocationDate(const X509_REVOKED* r) {
400 return r->revocationDate;
403 #endif // !FOLLY_OPENSSL_IS_110