Skip to content

Commit

Permalink
Enable building against OpenSSL 3.0
Browse files Browse the repository at this point in the history 
NOTE: This is a first step to allow us to start experimenting with OpenSSL 3.

 - Use const uint8_t* pointer when calling `EVP_PKEY_CTX_set*` functions
 - Remove `EXACT` keyword when using `find_package` for OpenSSL
 - Assign the result of `EVP_PKEY_get0_EC_KEY` to a `const EC_KEY*`

PiperOrigin-RevId: 528720245
Change-Id: Id61bf0e18a9e7e351fa1c3c750247364000c0d58
  • Loading branch information
@morambro @copybara-github
morambro authored and copybara-github committed May 2, 2023
1 parent 6e9ab05 commit 4b09176
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 13 deletions.
2 changes: 1 addition & 1 deletion cmake/TinkWorkspace.cmake
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ if (NOT TARGET crypto)
"$<BUILD_INTERFACE:${boringssl_SOURCE_DIR}/src/include>")
else()
# Support for ED25519 was added from 1.1.1.
find_package(OpenSSL 1.1.1 EXACT REQUIRED)
find_package(OpenSSL 1.1.1 REQUIRED)
_create_interface_target(crypto OpenSSL::Crypto)
endif()
else()
Expand Down
20 changes: 10 additions & 10 deletions tink/subtle/hkdf.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@

#include "tink/subtle/hkdf.h"

#include <cstdint>
#include <string>

#include "absl/algorithm/container.h"
#include "absl/status/status.h"
#include "absl/strings/str_cat.h"
#include "absl/strings/string_view.h"
#include "absl/types/span.h"
#include "openssl/evp.h"
Expand All @@ -30,6 +30,7 @@
// doesn't provide means to compute HKDF in BoringSSL. As a consequence, we need
// to selectively include the correct header and use different implementations.
#ifdef OPENSSL_IS_BORINGSSL
#include "openssl/base.h"
#include "openssl/hkdf.h"
#else
#include "openssl/kdf.h"
Expand All @@ -52,11 +53,12 @@ namespace {
util::Status SslHkdf(const EVP_MD *evp_md, absl::string_view ikm,
absl::string_view salt, absl::string_view info,
absl::Span<uint8_t> out_key) {
const uint8_t *ikm_ptr = reinterpret_cast<const uint8_t *>(ikm.data());
const uint8_t *salt_ptr = reinterpret_cast<const uint8_t *>(salt.data());
const uint8_t *info_ptr = reinterpret_cast<const uint8_t *>(info.data());
#ifdef OPENSSL_IS_BORINGSSL
if (HKDF(out_key.data(), out_key.size(), evp_md,
reinterpret_cast<const uint8_t *>(ikm.data()), ikm.size(),
reinterpret_cast<const uint8_t *>(salt.data()), salt.size(),
reinterpret_cast<const uint8_t *>(info.data()), info.size()) != 1) {
if (HKDF(out_key.data(), out_key.size(), evp_md, ikm_ptr, ikm.size(),
salt_ptr, salt.size(), info_ptr, info.size()) != 1) {
return util::Status(absl::StatusCode::kInternal, "HKDF failed");
}
return util::OkStatus();
Expand All @@ -65,11 +67,9 @@ util::Status SslHkdf(const EVP_MD *evp_md, absl::string_view ikm,
EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, /*e=*/nullptr));
if (pctx == nullptr || EVP_PKEY_derive_init(pctx.get()) <= 0 ||
EVP_PKEY_CTX_set_hkdf_md(pctx.get(), evp_md) <= 0 ||
EVP_PKEY_CTX_set1_hkdf_salt(pctx.get(), salt.data(), salt.size()) <= 0 ||
EVP_PKEY_CTX_set1_hkdf_key(pctx.get(),
reinterpret_cast<const uint8_t *>(ikm.data()),
ikm.size()) <= 0 ||
EVP_PKEY_CTX_add1_hkdf_info(pctx.get(), info.data(), info.size()) <= 0) {
EVP_PKEY_CTX_set1_hkdf_salt(pctx.get(), salt_ptr, salt.size()) <= 0 ||
EVP_PKEY_CTX_set1_hkdf_key(pctx.get(), ikm_ptr, ikm.size()) <= 0 ||
EVP_PKEY_CTX_add1_hkdf_info(pctx.get(), info_ptr, info.size()) <= 0) {
return util::Status(absl::StatusCode::kInternal,
"EVP_PKEY_CTX setup failed");
}
Expand Down
4 changes: 2 additions & 2 deletions tink/subtle/pem_parser_boringssl.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -358,7 +358,7 @@ PemParser::ParseEcPublicKey(absl::string_view pem_serialized_key) {
"PEM Public Key parsing failed");
}
// No need to free bssl_ecdsa_key after use.
EC_KEY* bssl_ecdsa_key = EVP_PKEY_get0_EC_KEY(evp_ecdsa_key.get());
const EC_KEY* bssl_ecdsa_key = EVP_PKEY_get0_EC_KEY(evp_ecdsa_key.get());
auto is_valid = VerifyEcdsaKey(bssl_ecdsa_key);
if (!is_valid.ok()) {
return is_valid;
Expand Down Expand Up @@ -413,7 +413,7 @@ PemParser::ParseEcPrivateKey(absl::string_view pem_serialized_key) {
}

// No need to free bssl_ecdsa_key after use.
EC_KEY* bssl_ecdsa_key = EVP_PKEY_get0_EC_KEY(evp_ecdsa_key.get());
const EC_KEY* bssl_ecdsa_key = EVP_PKEY_get0_EC_KEY(evp_ecdsa_key.get());
util::Status verify_result = VerifyEcdsaKey(bssl_ecdsa_key);
if (!verify_result.ok()) {
return verify_result;
Expand Down

0 comments on commit 4b09176

Please sign in to comment.