| # BoringSSL API Conventions |
| |
| This document describes conventions for BoringSSL APIs. The [style |
| guide](./STYLE.md) also includes guidelines, but this document is targeted at |
| both API consumers and developers. API documentation in BoringSSL may assume |
| these conventions by default, rather than repeating them for every function. |
| |
| |
| ## Documentation |
| |
| All supported public APIs are documented in the public header files, found in |
| `include/openssl`. The API documentation is also available |
| [online](https://commondatastorage.googleapis.com/chromium-boringssl-docs/headers.html). |
| |
| Experimental public APIs are found in `include/openssl/experimental`. Use of |
| these will likely be incompatible with changes in the near future as they are |
| finalized. |
| |
| ## Forward declarations |
| |
| Do not write `typedef struct foo_st FOO` or try otherwise to define BoringSSL's |
| types. Including `openssl/base.h` (or `openssl/ossl_typ.h` for consumers who |
| wish to be OpenSSL-compatible) will forward-declare each type without importing |
| the rest of the library or invasive macros. |
| |
| |
| ## Error-handling |
| |
| Most functions in BoringSSL may fail, either due to allocation failures or input |
| errors. Functions which return an `int` typically return one on success and zero |
| on failure. Functions which return a pointer typically return `NULL` on failure. |
| However, due to legacy constraints, some functions are more complex. Consult the |
| API documentation before using a function. |
| |
| On error, most functions also push errors on the error queue, an `errno`-like |
| mechanism. See the documentation for |
| [err.h](https://commondatastorage.googleapis.com/chromium-boringssl-docs/err.h.html) |
| for more details. |
| |
| As with `errno`, callers must test the function's return value, not the error |
| queue to determine whether an operation failed. Some codepaths may not interact |
| with the error queue, and the error queue may have state from a previous failed |
| operation. |
| |
| When ignoring a failed operation, it is recommended to call `ERR_clear_error` to |
| avoid the state interacting with future operations. Failing to do so should not |
| affect the actual behavior of any functions, but may result in errors from both |
| operations being mixed in error logging. We hope to |
| [improve](https://bugs.chromium.org/p/boringssl/issues/detail?id=38) this |
| situation in the future. |
| |
| Where possible, avoid conditioning on specific reason codes and limit usage to |
| logging. The reason codes are very specific and may change over time. |
| |
| |
| ## Memory allocation |
| |
| BoringSSL allocates memory via `OPENSSL_malloc`, found in `mem.h`. Use |
| `OPENSSL_free`, found in the same header file, to release it. BoringSSL |
| functions will fail gracefully on allocation error, but it is recommended to use |
| a `malloc` implementation that `abort`s on failure. |
| |
| |
| ## Pointers and slices |
| |
| Unless otherwise specified, pointer parameters that refer to a single object, |
| either as an input or output parameter, may not be `NULL`. In this case, |
| BoringSSL often will not check for `NULL` before dereferencing, so passing |
| `NULL` may crash or exhibit other undefined behavior. (Sometimes the function |
| will check for `NULL` anyway, for OpenSSL compatibility, but we still consider |
| passing `NULL` to be a caller error.) |
| |
| Pointer parameters may also refer to a contiguous sequence of objects, sometimes |
| referred to as a *slice*. These will typically be a pair of pointer and length |
| parameters named like `plaintext` and `plaintext_len`, or `objs` and `num_objs`. |
| We prefer the former for byte buffers and the latter for sequences of other |
| types. The documentation will usually refer to both parameters together, e.g. |
| "`EVP_DigestUpdate` hashes `len` bytes from `data`." |
| |
| Parameters in C and C++ that use array syntax, such as |
| `uint8_t out[SHA256_DIGEST_LENGTH]`, are really pointers. In BoringSSL's uses of |
| this syntax, the pointer must point to the specified number of values. |
| |
| In other cases, the documentation will describe how the function parameters |
| determine the slice's length. For example, a slice's length may be measured in |
| units other than element count, multiple slice parameters may share a length, or |
| a slice's length may be implicitly determined by other means like RSA key size. |
| |
| By default, BoringSSL follows C++'s |
| [slice conventions](https://davidben.net/2024/01/15/empty-slices.html) |
| for pointers. That is, unless otherwise specified, pointers for non-empty |
| (non-zero length) slices must be represented by a valid pointer to that many |
| objects in memory. Pointers for empty (zero length) slices must either be `NULL` |
| or point within some sequence of objects of a compatible type. |
| |
| WARNING: The dangling, non-null pointer used by Rust empty slices may *not* be |
| passed into BoringSSL. Rust FFIs must adjust such pointers to before passing to |
| BoringSSL. For example, see the `FfiSlice` abstraction in `bssl-crypto`. (We may |
| relax this if pointer arithmetic rules in C/C++ are adjusted to permit Rust's |
| pointers. Until then, it is impractical for a C/C++ library to act on such a |
| slice representation. See |
| [this document](https://davidben.net/2024/01/15/empty-slices.html) for more |
| discussion.) |
| |
| In some cases, OpenSSL compatibility requires that a function will treat `NULL` |
| slice pointers differently from non-`NULL` pointers. Such behavior will be |
| described in documentation. For examples, see `EVP_EncryptUpdate`, |
| `EVP_DigestSignFinal`, and `HMAC_Init_ex`. Callers passing potentially empty |
| slices into such functions should take care that the `NULL` case is either |
| unreachable or still has the desired behavior. |
| |
| If a `const char *` parameter is described as a "NUL-terminated string" or a |
| "C string", it must point to a sequence of `char` values containing a NUL (zero) |
| value, which determines the length. Unless otherwise specified, the pointer may |
| not be `NULL`, matching the C standard library. |
| |
| For purposes of C and C++'s |
| [strict aliasing](https://en.cppreference.com/w/c/language/object#Strict_aliasing) |
| requirements, objects passed by pointers must be accessible as the specified |
| type. `uint8_t` may be assumed to be the same type as `unsigned char` and thus |
| may be the pointer type for all object types. BoringSSL does not support |
| platforms where `uint8_t` is a non-character type. However, there is no |
| strict aliasing sanitizer, very few C and C++ codebases are valid by strict |
| aliasing, and BoringSSL itself has some |
| [known strict aliasing bugs](https://crbug.com/boringssl/444), thus we strongly |
| recommend consumers build with `-fno-strict-aliasing`. |
| |
| Pointer parameters additionally have ownership and lifetime requirements, |
| discussed in the section below. |
| |
| |
| ## Object initialization and cleanup |
| |
| BoringSSL defines a number of structs for use in its APIs. It is a C library, |
| so the caller is responsible for ensuring these structs are properly |
| initialized and released. Consult the documentation for a module for the |
| proper use of its types. Some general conventions are listed below. |
| |
| |
| ### Heap-allocated types |
| |
| Some types, such as `RSA`, are heap-allocated. All instances will be allocated |
| and returned from BoringSSL's APIs. It is an error to instantiate a heap- |
| allocated type on the stack or embedded within another object. |
| |
| Heap-allocated types may have functioned named like `RSA_new` which allocates a |
| fresh blank `RSA`. Other functions may also return newly-allocated instances. |
| For example, `RSA_parse_public_key` is documented to return a newly-allocated |
| `RSA` object. |
| |
| Heap-allocated objects must be released by the corresponding free function, |
| named like `RSA_free`. Like C's `free` and C++'s `delete`, all free functions |
| internally check for `NULL`. It is redundant to check for `NULL` before calling. |
| |
| A heap-allocated type may be reference-counted. In this case, a function named |
| like `RSA_up_ref` will be available to take an additional reference count. The |
| free function must be called to decrement the reference count. It will only |
| release resources when the final reference is released. For OpenSSL |
| compatibility, these functions return `int`, but callers may assume they always |
| successfully return one because reference counts use saturating arithmetic. |
| |
| C++ consumers are recommended to use `bssl::UniquePtr` to manage heap-allocated |
| objects. `bssl::UniquePtr<T>`, like other types, is forward-declared in |
| `openssl/base.h`. Code that needs access to the free functions, such as code |
| which destroys a `bssl::UniquePtr`, must include the corresponding module's |
| header. (This matches `std::unique_ptr`'s relationship with forward |
| declarations.) Note, despite the name, `bssl::UniquePtr` is also used with |
| reference-counted types. It owns a single reference to the object. To take an |
| additional reference, use the `bssl::UpRef` function, which will return a |
| separate `bssl::UniquePtr`. |
| |
| |
| ### Stack-allocated types |
| |
| Other types in BoringSSL are stack-allocated, such as `EVP_MD_CTX`. These |
| types may be allocated on the stack or embedded within another object. |
| However, they must still be initialized before use. |
| |
| Every stack-allocated object in BoringSSL has a *zero state*, analogous to |
| initializing a pointer to `NULL`. In this state, the object may not be |
| completely initialized, but it is safe to call cleanup functions. Entering the |
| zero state cannot fail. (It is usually `memset(0)`.) |
| |
| The function to enter the zero state is named like `EVP_MD_CTX_init` or |
| `CBB_zero` and will always return `void`. To release resources associated with |
| the type, call the cleanup function, named like `EVP_MD_CTX_cleanup`. The |
| cleanup function must be called on all codepaths, regardless of success or |
| failure. For example: |
| |
| uint8_t md[EVP_MAX_MD_SIZE]; |
| unsigned md_len; |
| EVP_MD_CTX ctx; |
| EVP_MD_CTX_init(&ctx); /* Enter the zero state. */ |
| int ok = EVP_DigestInit_ex(&ctx, EVP_sha256(), NULL) && |
| EVP_DigestUpdate(&ctx, "hello ", 6) && |
| EVP_DigestUpdate(&ctx, "world", 5) && |
| EVP_DigestFinal_ex(&ctx, md, &md_len); |
| EVP_MD_CTX_cleanup(&ctx); /* Release |ctx|. */ |
| |
| Note that `EVP_MD_CTX_cleanup` is called whether or not the `EVP_Digest*` |
| operations succeeded. More complex C functions may use the `goto err` pattern: |
| |
| int ret = 0; |
| EVP_MD_CTX ctx; |
| EVP_MD_CTX_init(&ctx); |
| |
| if (!some_other_operation()) { |
| goto err; |
| } |
| |
| uint8_t md[EVP_MAX_MD_SIZE]; |
| unsigned md_len; |
| if (!EVP_DigestInit_ex(&ctx, EVP_sha256(), NULL) || |
| !EVP_DigestUpdate(&ctx, "hello ", 6) || |
| !EVP_DigestUpdate(&ctx, "world", 5) || |
| !EVP_DigestFinal_ex(&ctx, md, &md_len) { |
| goto err; |
| } |
| |
| ret = 1; |
| |
| err: |
| EVP_MD_CTX_cleanup(&ctx); |
| return ret; |
| |
| Note that, because `ctx` is set to the zero state before any failures, |
| `EVP_MD_CTX_cleanup` is safe to call even if the first operation fails before |
| `EVP_DigestInit_ex`. However, it would be illegal to move the `EVP_MD_CTX_init` |
| below the `some_other_operation` call. |
| |
| As a rule of thumb, enter the zero state of stack-allocated structs in the |
| same place they are declared. |
| |
| C++ consumers are recommended to use the wrappers named like |
| `bssl::ScopedEVP_MD_CTX`, defined in the corresponding module's header. These |
| wrappers are automatically initialized to the zero state and are automatically |
| cleaned up. |
| |
| |
| ### Data-only types |
| |
| A few types, such as `SHA_CTX`, are data-only types and do not require cleanup. |
| These are usually for low-level cryptographic operations. These types may be |
| used freely without special cleanup conventions. |
| |
| |
| ### Ownership and lifetime |
| |
| When working with allocated objects, it is important to think about *ownership* |
| of each object, or what code is responsible for releasing it. This matches the |
| corresponding notion in higher-level languages like C++ and Rust. |
| |
| Ownership applies to both uniquely-owned types and reference-counted types. For |
| the latter, ownership means the code is responsible for releasing one |
| reference. Note a *reference* in BoringSSL refers to an increment (and eventual |
| decrement) of an object's reference count, not `T&` in C++. Thus, to "take a |
| reference" means to increment the reference count and take ownership of |
| decrementing it. |
| |
| As BoringSSL's APIs are primarily in C, ownership and lifetime obligations are |
| not rigorously annotated in the type signatures or checked at compile-time. |
| Instead, they are described in |
| [API documentation](https://commondatastorage.googleapis.com/chromium-boringssl-docs/headers.html). |
| This section describes some conventions. |
| |
| Unless otherwise documented, functions do not take ownership of pointer |
| arguments. The pointer typically must remain valid for the duration of the |
| function call. The function may internally copy information from the argument or |
| take a reference, but the caller is free to release its copy or reference at any |
| point after the call completes. |
| |
| A function may instead be documented to *take* or *transfer* ownership of a |
| pointer. The caller must own the object before the function call and, after |
| transfer, no longer owns it. As a corollary, the caller may no longer reference |
| the object without a separate guarantee on the lifetime. The function may even |
| release the object before returning. Callers that wish to independently retain a |
| transfered object must therefore take a reference or make a copy before |
| transferring. Callers should also take note of whether the function is |
| documented to transfer pointers unconditionally or only on success. Unlike C++ |
| and Rust, functions in BoringSSL typically only transfer on success. |
| |
| Likewise, output pointers may be owning or non-owning. Unless otherwise |
| documented, functions output non-owning pointers. The caller is not responsible |
| for releasing the output pointer, but it must not use the pointer beyond its |
| lifetime. The pointer may be released when the parent object is released or even |
| sooner on state change in the parent object. |
| |
| If documented to output a *newly-allocated* object or a *reference* or *copy* of |
| one, the caller is responsible for releasing the object when it is done. |
| |
| By convention, functions named `get0` return non-owning pointers. Functions |
| named `new` or `get1` return owning pointers. Functions named `set0` take |
| ownership of arguments. Functions named `set1` do not. They typically take a |
| reference or make a copy internally. These names originally referred to the |
| effect on a reference count, but the convention applies equally to |
| non-reference-counted types. |
| |
| API documentation may also describe more complex obligations. For instance, an |
| object may borrow a pointer for longer than the duration of a single function |
| call, in which case the caller must ensure the lifetime extends accordingly. |
| |
| Memory errors are one of the most common and dangerous bugs in C and C++, so |
| callers are encouraged to make use of tools such as |
| [AddressSanitizer](https://clang.llvm.org/docs/AddressSanitizer.html) and |
| higher-level languages. |
| |
| |
| ## Thread safety |
| |
| BoringSSL is internally aware of the platform threading library and calls into |
| it as needed. Consult the API documentation for the threading guarantees of |
| particular objects. In general, stateless reference-counted objects like `RSA` |
| or `EVP_PKEY` which represent keys may typically be used from multiple threads |
| simultaneously, provided no thread mutates the key. |