Remove OPENSSL_EXPORT from some internal libssl functions Things that are only exported for unit tests can also just gate the tests on the static library build. Change-Id: Ia40f97379b5356a7a598f780893a6bd4cfadfdf8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/92907 Commit-Queue: Lily Chen <chlily@google.com> Presubmit-BoringSSL-Verified: boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Lily Chen <chlily@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h index 94f7007..4d86a61 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -628,8 +628,8 @@ // // |max_valid_seqnum| must be most 2^48-1, in which case the output will also be // at most 2^48-1. -OPENSSL_EXPORT uint64_t reconstruct_seqnum(uint16_t wire_seq, uint64_t seq_mask, - uint64_t max_valid_seqnum); +uint64_t reconstruct_seqnum(uint16_t wire_seq, uint64_t seq_mask, + uint64_t max_valid_seqnum); // Record layer. @@ -1112,13 +1112,12 @@ // ssl_cert_check_key_usage parses the DER-encoded, X.509 certificate in |in| // and returns true if doesn't specify a key usage or, if it does, if it // includes |bit|. Otherwise it pushes to the error queue and returns false. -OPENSSL_EXPORT bool ssl_cert_check_key_usage(const CBS *in, - enum ssl_key_usage_t bit); +bool ssl_cert_check_key_usage(const CBS *in, enum ssl_key_usage_t bit); // ssl_cert_extract_issuer parses the DER-encoded, X.509 certificate in |in| // and extracts the issuer. On success it returns true and the DER encoded // issuer is in |out_dn|, otherwise it returns false. -OPENSSL_EXPORT bool ssl_cert_extract_issuer(const CBS *in, CBS *out_dn); +bool ssl_cert_extract_issuer(const CBS *in, CBS *out_dn); // ssl_cert_matches_issuer parses the DER-encoded, X.509 certificate in |in| // and returns true if its issuer is an exact match for the DER encoded @@ -1381,8 +1380,7 @@ // ssl_is_valid_ech_public_name returns true if |public_name| is a valid ECH // public name and false otherwise. It is exported for testing. -OPENSSL_EXPORT bool ssl_is_valid_ech_public_name( - Span<const uint8_t> public_name); +bool ssl_is_valid_ech_public_name(Span<const uint8_t> public_name); // ssl_is_valid_ech_config_list returns true if |ech_config_list| is a valid // ECHConfigList structure and false otherwise.
diff --git a/ssl/ssl_internal_test.cc b/ssl/ssl_internal_test.cc index 58169cd..a26c065 100644 --- a/ssl/ssl_internal_test.cc +++ b/ssl/ssl_internal_test.cc
@@ -543,6 +543,64 @@ } } +TEST(SSLTest, ECHPublicName) { + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes(""))); + EXPECT_TRUE(ssl_is_valid_ech_public_name(StringAsBytes("example.com"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes(".example.com"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example.com."))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example..com"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("www.-example.com"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("www.example-.com"))); + EXPECT_FALSE( + ssl_is_valid_ech_public_name(StringAsBytes("no_underscores.example"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name( + StringAsBytes("invalid_chars.\x01.example"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name( + StringAsBytes("invalid_chars.\xff.example"))); + static const uint8_t kWithNUL[] = {'t', 'e', 's', 't', 0}; + EXPECT_FALSE(ssl_is_valid_ech_public_name(kWithNUL)); + + // Test an LDH label with every character and the maximum length. + EXPECT_TRUE(ssl_is_valid_ech_public_name(StringAsBytes( + "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes( + "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-01234567899"))); + + // Inputs with trailing numeric components are rejected. + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("127.0.0.1"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example.1"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example.01"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example.0x01"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example.0X01"))); + // Leading zeros and values that overflow |uint32_t| are still rejected. + EXPECT_FALSE(ssl_is_valid_ech_public_name( + StringAsBytes("example.123456789000000000000000"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name( + StringAsBytes("example.012345678900000000000000"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name( + StringAsBytes("example.0x123456789abcdefABCDEF0"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name( + StringAsBytes("example.0x0123456789abcdefABCDEF"))); + // Adding a non-digit or non-hex character makes it a valid DNS name again. + // Single-component numbers are rejected. + EXPECT_TRUE( + ssl_is_valid_ech_public_name(StringAsBytes("example.1234567890a"))); + EXPECT_TRUE( + ssl_is_valid_ech_public_name(StringAsBytes("example.01234567890a"))); + EXPECT_TRUE(ssl_is_valid_ech_public_name( + StringAsBytes("example.0x123456789abcdefg"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("1"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("01"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("0x01"))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("0X01"))); + // Numbers with trailing dots are rejected. (They are already rejected by the + // LDH label rules, but the WHATWG URL parser additionally rejects them.) + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("1."))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("01."))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("0x01."))); + EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("0X01."))); +} + } // namespace BSSL_NAMESPACE_END #endif // !BORINGSSL_SHARED_LIBRARY
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index 3476f3e..49adcaf 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc
@@ -2821,64 +2821,6 @@ } } -TEST(SSLTest, ECHPublicName) { - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes(""))); - EXPECT_TRUE(ssl_is_valid_ech_public_name(StringAsBytes("example.com"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes(".example.com"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example.com."))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example..com"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("www.-example.com"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("www.example-.com"))); - EXPECT_FALSE( - ssl_is_valid_ech_public_name(StringAsBytes("no_underscores.example"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name( - StringAsBytes("invalid_chars.\x01.example"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name( - StringAsBytes("invalid_chars.\xff.example"))); - static const uint8_t kWithNUL[] = {'t', 'e', 's', 't', 0}; - EXPECT_FALSE(ssl_is_valid_ech_public_name(kWithNUL)); - - // Test an LDH label with every character and the maximum length. - EXPECT_TRUE(ssl_is_valid_ech_public_name(StringAsBytes( - "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-0123456789"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes( - "abcdefhijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ-01234567899"))); - - // Inputs with trailing numeric components are rejected. - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("127.0.0.1"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example.1"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example.01"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example.0x01"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("example.0X01"))); - // Leading zeros and values that overflow |uint32_t| are still rejected. - EXPECT_FALSE(ssl_is_valid_ech_public_name( - StringAsBytes("example.123456789000000000000000"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name( - StringAsBytes("example.012345678900000000000000"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name( - StringAsBytes("example.0x123456789abcdefABCDEF0"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name( - StringAsBytes("example.0x0123456789abcdefABCDEF"))); - // Adding a non-digit or non-hex character makes it a valid DNS name again. - // Single-component numbers are rejected. - EXPECT_TRUE( - ssl_is_valid_ech_public_name(StringAsBytes("example.1234567890a"))); - EXPECT_TRUE( - ssl_is_valid_ech_public_name(StringAsBytes("example.01234567890a"))); - EXPECT_TRUE(ssl_is_valid_ech_public_name( - StringAsBytes("example.0x123456789abcdefg"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("1"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("01"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("0x01"))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("0X01"))); - // Numbers with trailing dots are rejected. (They are already rejected by the - // LDH label rules, but the WHATWG URL parser additionally rejects them.) - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("1."))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("01."))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("0x01."))); - EXPECT_FALSE(ssl_is_valid_ech_public_name(StringAsBytes("0X01."))); -} - // When using the built-in verifier, test that |SSL_get0_ech_name_override| is // applied automatically. TEST(SSLTest, ECHBuiltinVerifier) { @@ -5664,6 +5606,7 @@ // Configure one chain (including the leaf), then replace it with another. ASSERT_TRUE(SSL_CREDENTIAL_set1_cert_chain(cred.get(), wrong_chain.data(), wrong_chain.size())); +#if !defined(BORINGSSL_SHARED_LIBRARY) CBS ca_subject_cbs, ca_cbs; CRYPTO_BUFFER_init_CBS(ca.get(), &ca_cbs); ASSERT_TRUE(ssl_cert_extract_issuer(&ca_cbs, &ca_subject_cbs)); @@ -5673,7 +5616,6 @@ CRYPTO_BUFFER_len(ca_subject.get())), Bytes(CRYPTO_BUFFER_data(subject_buf.get()), CRYPTO_BUFFER_len(subject_buf.get()))); -#if !defined(BORINGSSL_SHARED_LIBRARY) ASSERT_FALSE( FromOpaque(cred.get()) ->ChainContainsIssuer(Span(CRYPTO_BUFFER_data(subject_buf.get()),