Tweaks for node.js
node.js is, effectively, another bindings library. However, it's better
written than most and, with these changes, only a couple of tiny fixes
are needed in node.js. Some of these changes are a little depressing
however so we'll need to push node.js to use APIs where possible.
Changes:
∙ Support verify_recover. This is very obscure and the motivation
appears to be https://github.com/nodejs/node/issues/477 – where it's
not clear that anyone understands what it means :(
∙ Add a few, no-op #defines
∙ Add some members to |SSL_CTX| and |SSL| – node.js needs to not
reach into these structs in the future.
∙ Add EC_get_builtin_curves.
∙ Add EVP_[CIPHER|MD]_do_all_sorted – these functions are limited to
decrepit.
Change-Id: I9a3566054260d6c4db9d430beb7c46cc970a9d46
Reviewed-on: https://boringssl-review.googlesource.com/6952
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/bio.h b/include/openssl/bio.h
index 3447f5b..6ca3575 100644
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@@ -711,6 +711,11 @@
#define BIO_CTRL_GET_CALLBACK 15 /* opt - set callback function */
#define BIO_CTRL_SET_FILENAME 30 /* BIO_s_file special */
+/* These are never used, but exist to allow code to compile more easily. */
+#define BIO_CTRL_DUP 100
+#define BIO_CTRL_PUSH 101
+#define BIO_CTRL_POP 102
+
/* Android compatibility section.
*
diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index 193c8c3..29d5892 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -42,7 +42,9 @@
/* Deprecated functions. */
-#define OPENSSL_VERSION_TEXT "BoringSSL"
+/* OPENSSL_VERSION_TEXT contains a string the identifies the version of
+ * “OpenSSL”. node.js requires a version number in this text. */
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2 (compatible; BoringSSL)"
#define SSLEAY_VERSION 0
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index 26f40b7..82f84ea 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -81,14 +81,24 @@
typedef struct ec_group_st EC_GROUP;
typedef struct ec_point_st EC_POINT;
-/** Enum for the point conversion form as defined in X9.62 (ECDSA)
- * for the encoding of a elliptic curve point (x,y) */
+/* point_conversion_form_t enumerates forms, as defined in X9.62 (ECDSA), for
+ * the encoding of a elliptic curve point (x,y) */
typedef enum {
- /** the point is encoded as z||x, where the octet z specifies
- * which solution of the quadratic equation y is */
- POINT_CONVERSION_COMPRESSED = 2,
- /** the point is encoded as z||x||y, where z is the octet 0x04 */
- POINT_CONVERSION_UNCOMPRESSED = 4
+ /* POINT_CONVERSION_COMPRESSED indicates that the point is encoded as z||x,
+ * where the octet z specifies which solution of the quadratic equation y
+ * is. */
+ POINT_CONVERSION_COMPRESSED = 2,
+
+ /* POINT_CONVERSION_COMPRESSED indicates that the point is encoded as
+ * z||x||y, where z is the octet 0x04. */
+ POINT_CONVERSION_UNCOMPRESSED = 4,
+
+ /* POINT_CONVERSION_HYBRID indicates that the point is encoded as z||x||y,
+ * where z specifies which solution of the quadratic equation y is. This is
+ * not supported by the code and has never been observed in use.
+ *
+ * TODO(agl): remove once node.js no longer references this. */
+ POINT_CONVERSION_HYBRID = 6,
} point_conversion_form_t;
@@ -306,6 +316,19 @@
OPENSSL_EXPORT void EC_GROUP_set_point_conversion_form(
EC_GROUP *group, point_conversion_form_t form);
+/* EC_builtin_curve describes a supported elliptic curve. */
+typedef struct {
+ int nid;
+ const char *comment;
+} EC_builtin_curve;
+
+/* EC_get_builtin_curves writes at most |max_num_curves| elements to
+ * |out_curves| and returns the total number that it would have written, had
+ * |max_num_curves| been large enough.
+ *
+ * The |EC_builtin_curve| items describe the supported elliptic curves. */
+OPENSSL_EXPORT size_t EC_get_builtin_curves(EC_builtin_curve *out_curves,
+ size_t max_num_curves);
/* Old code expects to get EC_KEY from ec.h. */
#include <openssl/ec_key.h>
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 948353a..adf586e 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -511,6 +511,34 @@
size_t *out_len, const uint8_t *in,
size_t in_len);
+/* EVP_PKEY_verify_recover_init initialises an |EVP_PKEY_CTX| for a public-key
+ * decryption operation. It should be called before |EVP_PKEY_verify_recover|.
+ *
+ * Public-key decryption is a very obscure operation that is only implemented
+ * by RSA keys. It is effectively a signature verification operation that
+ * returns the signed message directly. It is almost certainly not what you
+ * want.
+ *
+ * It returns one on success or zero on error. */
+OPENSSL_EXPORT int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
+
+/* EVP_PKEY_verify_recover decrypts |sig_len| bytes from |sig|. If |out| is
+ * NULL, the maximum size of the plaintext is written to |out_len|. Otherwise,
+ * |*out_len| must contain the number of bytes of space available at |out|. If
+ * sufficient, the ciphertext will be written to |out| and |*out_len| updated
+ * with the true length.
+ *
+ * WARNING: Setting |out| to NULL only gives the maximum size of the
+ * plaintext. The actual plaintext may be smaller.
+ *
+ * See the warning about this operation in |EVP_PKEY_verify_recover_init|. It
+ * is probably not what you want.
+ *
+ * It returns one on success or zero on error. */
+OPENSSL_EXPORT int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out,
+ size_t *out_len, const uint8_t *sig,
+ size_t siglen);
+
/* EVP_PKEY_derive_init initialises an |EVP_PKEY_CTX| for a key derivation
* operation. It should be called before |EVP_PKEY_derive_set_peer| and
* |EVP_PKEY_derive|.
@@ -659,6 +687,16 @@
/* EVP_cleanup does nothing. */
OPENSSL_EXPORT void EVP_cleanup(void);
+OPENSSL_EXPORT void EVP_CIPHER_do_all_sorted(
+ void (*callback)(const EVP_CIPHER *cipher, const char *name,
+ const char *unused, void *arg),
+ void *arg);
+
+OPENSSL_EXPORT void EVP_MD_do_all_sorted(void (*callback)(const EVP_MD *cipher,
+ const char *name,
+ const char *unused,
+ void *arg),
+ void *arg);
/* Private functions */
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 73fdbfe..f6ed6f4 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2704,15 +2704,17 @@
/* SSL_CTX_set_max_send_fragment sets the maximum length, in bytes, of records
* sent by |ctx|. Beyond this length, handshake messages and application data
- * will be split into multiple records. */
-OPENSSL_EXPORT void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx,
- size_t max_send_fragment);
+ * will be split into multiple records. It returns one on success or zero on
+ * error. */
+OPENSSL_EXPORT int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx,
+ size_t max_send_fragment);
-/* SSL_set_max_send_fragment sets the maximum length, in bytes, of records
- * sent by |ssl|. Beyond this length, handshake messages and application data
- * will be split into multiple records. */
-OPENSSL_EXPORT void SSL_set_max_send_fragment(SSL *ssl,
- size_t max_send_fragment);
+/* SSL_set_max_send_fragment sets the maximum length, in bytes, of records sent
+ * by |ssl|. Beyond this length, handshake messages and application data will
+ * be split into multiple records. It returns one on success or zero on
+ * error. */
+OPENSSL_EXPORT int SSL_set_max_send_fragment(SSL *ssl,
+ size_t max_send_fragment);
/* ssl_early_callback_ctx is passed to certain callbacks that are called very
* early on during the server handshake. At this point, much of the SSL* hasn't
@@ -3732,6 +3734,11 @@
* means that we'll accept Channel IDs from clients. For a client, means that
* we'll advertise support. */
unsigned tlsext_channel_id_enabled:1;
+
+ /* extra_certs is a dummy value included for compatibility.
+ * TODO(agl): remove once node.js no longer references this. */
+ STACK_OF(X509)* extra_certs;
+ int freelist_max_len;
};
struct ssl_st {
@@ -3914,6 +3921,9 @@
* means that we'll accept Channel IDs from clients. For a client, means that
* we'll advertise support. */
unsigned tlsext_channel_id_enabled:1;
+
+ /* TODO(agl): remove once node.js not longer references this. */
+ int tlsext_status_type;
};
typedef struct ssl3_record_st {
@@ -4179,6 +4189,14 @@
OPENSSL_EXPORT int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
+/* Nodejs compatibility section (hidden).
+ *
+ * These defines exist for node.js, with the hope that we can eliminate the
+ * need for them over time. */
+#define SSLerr(function, reason) \
+ ERR_put_error(ERR_LIB_SSL, 0, reason, __FILE__, __LINE__)
+
+
/* Preprocessor compatibility section (hidden).
*
* Historically, a number of APIs were implemented in OpenSSL as macros and
