diff --git a/docs/porting/configuration-differences.md b/docs/porting/configuration-differences.md index 3dcc9b5a3b..618d370942 100644 --- a/docs/porting/configuration-differences.md +++ b/docs/porting/configuration-differences.md @@ -55,12 +55,12 @@ The following table contains the differences in libssl configuration options AWS
-
+
SSL_CTX_set_mode SSL_MODE_AUTO_RETRY ON SSL_MODE_RELEASE_BUFFERS ON SSL_MODE_SEND_CLIENTHELLO_TIME OFF SSL_MODE_SEND_SERVERHELLO_TIME ON
-
+
SSL_CTX_set_options SSL_OP_ALL
+
+ SSL_OP_ALL
+
+ OFF SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION OFF SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS ON SSL_OP_LEGACY_SERVER_CONNECT OFF SSL_OP_NO_COMPRESSION ON SSL_OP_NO_RENEGOTIATION ON SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION ON SSL_OP_NO_SSLv3 ON SSL_OP_TLS_ROLLBACK_BUG OFF SSL_VERIFY_CLIENT_ONCE OFF
-
+
SSL_set_hostflags X509_V_FLAG_X509_STRICT ON X509_V_FLAG_ALLOW_PROXY_CERTS OFF
-
+
X509_check_host X509_CHECK_FLAG_NO_WILDCARDS OFF X509_CHECK_FLAG_NEVER_CHECK_SUBJECT OFF X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT OFF X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS ON X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS OFF X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS OFF
-
+
PKCS7_sign
PKCS7_DETACHED OFF PKCS7_BINARY
+
+ PKCS7_BINARY
+
+
@@ -435,17 +544,29 @@ The following table contains the differences in libcrypto configuration options
PKCS7_NOATTR
+
+ PKCS7_NOATTR
+
+ PKCS7_PARTIAL PKCS7_TEXT
+
+ PKCS7_TEXT
+
+ OFF PKCS7_NOCERTS OFF PKCS7_STREAM
+
+ PKCS7_STREAM
+
+ OFF PKCS7_NOSMIMECAP OFF EVP_PKEY_assign EVP_PKEY_DH
+
+ EVP_PKEY_DH
+
+ Not Supported EVP_PKEY_X448 Not Supported EVP_PKEY_ED448 Not Supported EVP_PKEY_RSA2 Not Supported
-
+
BN_FLG_CONSTTIME
diff --git a/docs/porting/functionality-differences.md b/docs/porting/functionality-differences.md
index d6999dbc1c..6798e0b709 100644
--- a/docs/porting/functionality-differences.md
+++ b/docs/porting/functionality-differences.md
@@ -40,9 +40,8 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor
-
- ssl.h
-
- ssl.h
-
- evp.h
-
-
+
evp.h
@@ -407,11 +401,12 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
-
- ec_key.h
-
Returns nothing as a void function. Aborts if a form other than
- POINT_CONVERSION_UNCOMPRESSED is requested.
+ POINT_CONVERSION_UNCOMPRESSED or POINT_CONVERSION_COMPRESSED is requested.
SSL_set_mode
-
+
SSL_CTX_clear_mode
SSL_clear_mode
@@ -85,7 +85,11 @@ The following table contains the differences in libssl configuration options AWS
-
-
-
-
SSL_set_options
-
+
SSL_CTX_clear_options
SSL_clear_options
@@ -144,7 +160,11 @@ The following table contains the differences in libssl configuration options AWS
-
-
-
-
-
-
-
-
-
-
+
+
+
X509_STORE_CTX_set_flags
+
+
X509_STORE_set_flags
+
+
X509_VERIFY_PARAM_set_flags
- X509_VERIFY_PARAM_set_hostflags
+
+
+ X509_VERIFY_PARAM_set_hostflags
-
-
+
+
X509_check_email
+
+
X509_check_ip
X509_check_ip_asc
@@ -329,7 +406,11 @@ The following table contains the differences in libcrypto configuration options
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -491,7 +486,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
-
@@ -68,9 +67,8 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor
@@ -114,9 +112,8 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor
- Deprecated DH functions
+
+ FFDH Ciphersuite No-ops
@@ -174,8 +171,7 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor
- Deprecated COMP functions
+
+ SSL_COMP and COMP_METHOD No-ops
@@ -200,8 +196,7 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor
@@ -217,8 +212,7 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor
@@ -234,8 +228,7 @@ libssl is the portion of OpenSSL which supports TLS. AWS-LC does not have suppor
@@ -332,11 +325,12 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
+
+ EVP_PKEY_DSA No-ops
+
+
- EVP_PKEY_DSA
+ Porting Guide
@@ -385,7 +379,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
-
- ec.h
+
+ EC_KEY
+
+
+
+ EC_GROUP
@@ -468,8 +463,8 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
@@ -480,7 +475,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
- + conf.h @@ -535,6 +530,10 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
+
+ rand.h
+
+
Entropy Sources
@@ -653,7 +652,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
- + asn1.h @@ -697,7 +696,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
- + thread.h @@ -838,7 +837,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
- + evp.h @@ -887,7 +886,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
- + cipher.h @@ -900,7 +899,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
Does nothing.
This functions sets flags for EVP_CIPHER_CTX, so any related flags are also no-ops. Related no-op flags can be found in
-
+
the surrounding documentation
.
@@ -919,7 +918,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
- + digest.h @@ -932,7 +931,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
Does nothing.
This functions sets flags for EVP_MD_CTX, so any related flags are also no-ops. Related no-op flags can be found in
-
+
the surrounding documentation
.
@@ -951,7 +950,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
- + dh.h @@ -964,7 +963,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
Does nothing.
This functions clears flags for DH, so any related flags are also no-ops. Related no-op flags can be found in
-
+
the surrounding documentation
.
@@ -975,7 +974,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
- + ex_data.h @@ -1000,7 +999,7 @@ Older and less common usages of `EVP_PKEY` have been removed. For example, signi
- + bio.h diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index fe0c09c7b0..299a8968dc 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -5594,7 +5594,7 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // AWS-LC #define SSL_OP_NO_SSLv2 0 -// SSL_OP_NO_SSLv2 is ON by default in AWS-LC. There is no support for SSLv3 in +// SSL_OP_NO_SSLv3 is ON by default in AWS-LC. There is no support for SSLv3 in // AWS-LC #define SSL_OP_NO_SSLv3 0 diff --git a/include/openssl/x509.h b/include/openssl/x509.h index a04be3de3b..2042e610b2 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -3127,7 +3127,15 @@ OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm); OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm); -OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags); + +// X509_STORE_set_flags enables all values in |flags| in |store|'s verification +// flags. |flags| should be a combination of |X509_V_FLAG_*| constants. +// +// WARNING: These flags will be combined with default flags when copied to an +// |X509_STORE_CTX|. This means it is impossible to unset those defaults from +// the |X509_STORE|. See discussion in |X509_STORE_get0_param|. +OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *store, unsigned long flags); + OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *ctx, int trust); OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *ctx, @@ -3248,6 +3256,10 @@ OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); OPENSSL_EXPORT int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, int purpose, int trust); + +// X509_STORE_CTX_set_flags enables all values in |flags| in |ctx|'s +// verification flags. |flags| should be a combination of |X509_V_FLAG_*| +// constants. OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags); @@ -3326,8 +3338,13 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from); OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from); + +// X509_VERIFY_PARAM_set_flags enables all values in |flags| in |param|'s +// verification flags and returns one. |flags| should be a combination of +// |X509_V_FLAG_*| constants. OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); + OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags); OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags(