#23 Update to .NET Core Runtime 2.1.10 and SDK 2.1.506
Merged 4 years ago by rhea. Opened 4 years ago by omajid.
dotnet-sig/ omajid/dotnet-2-1 master  into  master

@@ -1,724 +0,0 @@ 

- From 7f5ccbde792c7fd94ec27c33861ae1c3118ecf93 Mon Sep 17 00:00:00 2001

- From: Filip Navara <filip.navara@gmail.com>

- Date: Sun, 24 Jun 2018 06:29:39 +0200

- Subject: [PATCH 1/7] NetFX compatibility fixes for X500DistinguishedName.

- 

- * Don't write a separator after the empty DN

- * Make T61String behave like it does on Windows (UTF-8 with a Latin-1 fallback)

- * Use the managed decoder on Linux, instead of a lot of P/Invokes back into OpenSSL.

- ---

-  .../Interop.ASN1.cs                           |  27 ----

-  .../Interop.X509Name.cs                       |  39 ------

-  .../Interop.X509NameEntry.cs                  |  61 ---------

-  .../SafeHandles/SafeX509NameHandle.Unix.cs    |  30 -----

-  .../Cryptography/DerSequenceReader.cs         |  35 +++++

-  .../pal_x509_name.cpp                         |   5 +

-  .../pal_x509_name.h                           |   5 +

-  .../src/System.Net.Http.csproj                |   3 -

-  .../src/System.Net.Security.csproj            |   3 -

-  ...em.Security.Cryptography.Algorithms.csproj |   1 +

-  ...stem.Security.Cryptography.Encoding.csproj |   1 +

-  ...ystem.Security.Cryptography.OpenSsl.csproj |   1 +

-  .../Pal.Unix/X500NameEncoder.ManagedDecode.cs |   4 +-

-  .../Pal.Unix/X500NameEncoder.OpenSslDecode.cs | 123 ------------------

-  .../Cryptography/Pal.Unix/X500NameEncoder.cs  |   7 +-

-  ...urity.Cryptography.X509Certificates.csproj |  10 +-

-  .../tests/X500DistinguishedNameTests.cs       |  69 ++++++++++

-  17 files changed, 125 insertions(+), 299 deletions(-)

-  delete mode 100644 src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509NameEntry.cs

-  delete mode 100644 src/Common/src/Microsoft/Win32/SafeHandles/SafeX509NameHandle.Unix.cs

-  delete mode 100644 src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.OpenSslDecode.cs

- 

- diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.ASN1.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.ASN1.cs

- index 962eaa426f..5bd2e8b9b4 100644

- --- a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.ASN1.cs

- +++ b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.ASN1.cs

- @@ -61,22 +61,6 @@ internal static partial class Interop

-          [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_Asn1StringFree")]

-          internal static extern void Asn1StringFree(IntPtr o);

-  

- -        internal static string GetOidValue(SafeSharedAsn1ObjectHandle asn1Object)

- -        {

- -            Debug.Assert(asn1Object != null);

- -

- -            bool added = false;

- -            asn1Object.DangerousAddRef(ref added);

- -            try

- -            {

- -                return GetOidValue(asn1Object.DangerousGetHandle());

- -            }

- -            finally

- -            {

- -                asn1Object.DangerousRelease();

- -            }

- -        }

- -

-          internal static unsafe string GetOidValue(IntPtr asn1ObjectPtr)

-          {

-              // OBJ_obj2txt returns the number of bytes that should have been in the answer, but it does not accept

- @@ -127,14 +111,3 @@ internal static partial class Interop

-          }

-      }

-  }

- -

- -namespace Microsoft.Win32.SafeHandles

- -{

- -    internal class SafeSharedAsn1ObjectHandle : SafeInteriorHandle

- -    {

- -        private SafeSharedAsn1ObjectHandle() :

- -            base(IntPtr.Zero, ownsHandle: true)

- -        {

- -        }

- -    }

- -}

- diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Name.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Name.cs

- index 0f0fecad24..70097d7db2 100644

- --- a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Name.cs

- +++ b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509Name.cs

- @@ -15,16 +15,6 @@ internal static partial class Interop

-          [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_GetX509NameStackFieldCount")]

-          internal static extern int GetX509NameStackFieldCount(SafeSharedX509NameStackHandle sk);

-  

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_PushX509NameStackField")]

- -        [return: MarshalAs(UnmanagedType.Bool)]

- -        internal static extern bool PushX509NameStackField(SafeX509NameStackHandle stack, SafeX509NameHandle x509_Name);

- -

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_RecursiveFreeX509NameStack")]

- -        internal static extern void RecursiveFreeX509NameStack(IntPtr stack);

- -

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_NewX509NameStack")]

- -        internal static extern SafeX509NameStackHandle NewX509NameStack();

- -

-          [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_GetX509NameStackField")]

-          private static extern SafeSharedX509NameHandle GetX509NameStackField_private(SafeSharedX509NameStackHandle sk,

-              int loc);

- @@ -32,15 +22,6 @@ internal static partial class Interop

-          [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_GetX509NameRawBytes")]

-          private static extern int GetX509NameRawBytes(SafeSharedX509NameHandle x509Name, byte[] buf, int cBuf);

-  

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_DecodeX509Name")]

- -        internal static extern SafeX509NameHandle DecodeX509Name(byte[] buf, int len);

- -

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_X509NameDestroy")]

- -        internal static extern void X509NameDestroy(IntPtr a);

- -

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_GetX509NameEntryCount")]

- -        internal static extern int GetX509NameEntryCount(SafeX509NameHandle x509Name);

- -

-          internal static X500DistinguishedName LoadX500Name(SafeSharedX509NameHandle namePtr)

-          {

-              CheckValidOpenSslHandle(namePtr);

- @@ -86,25 +67,5 @@ namespace Microsoft.Win32.SafeHandles

-          {

-          }

-      }

- -

- -    internal sealed class SafeX509NameStackHandle : SafeHandle

- -    {

- -        private SafeX509NameStackHandle() :

- -            base(IntPtr.Zero, ownsHandle: true)

- -        {

- -        }

- -

- -        protected override bool ReleaseHandle()

- -        {

- -            Interop.Crypto.RecursiveFreeX509NameStack(handle);

- -            SetHandle(IntPtr.Zero);

- -            return true;

- -        }

- -

- -        public override bool IsInvalid

- -        {

- -            get { return handle == IntPtr.Zero; }

- -        }

- -    }

-  }

-  

- diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509NameEntry.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509NameEntry.cs

- deleted file mode 100644

- index eeeea54d0c..0000000000

- --- a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509NameEntry.cs

- +++ /dev/null

- @@ -1,61 +0,0 @@

- -// Licensed to the .NET Foundation under one or more agreements.

- -// The .NET Foundation licenses this file to you under the MIT license.

- -// See the LICENSE file in the project root for more information.

- -

- -using System;

- -using System.Runtime.InteropServices;

- -using Microsoft.Win32.SafeHandles;

- -

- -internal static partial class Interop

- -{

- -    internal static partial class Crypto

- -    {

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_GetX509NameEntry")]

- -        private static extern SafeSharedX509NameEntryHandle GetX509NameEntry_private(SafeX509NameHandle x509Name, int loc);

- -

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_GetX509NameEntryOid")]

- -        private static extern SafeSharedAsn1ObjectHandle GetX509NameEntryOid_private(SafeSharedX509NameEntryHandle nameEntry);

- -

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_GetX509NameEntryData")]

- -        private static extern SafeSharedAsn1StringHandle GetX509NameEntryData_private(SafeSharedX509NameEntryHandle nameEntry);

- -

- -        internal static SafeSharedX509NameEntryHandle GetX509NameEntry(SafeX509NameHandle x509Name, int loc)

- -        {

- -            CheckValidOpenSslHandle(x509Name);

- -

- -            return SafeInteriorHandle.OpenInteriorHandle(

- -                (nameHandle, i) => GetX509NameEntry_private(nameHandle, i),

- -                x509Name,

- -                loc);

- -        }

- -

- -        internal static SafeSharedAsn1ObjectHandle GetX509NameEntryOid(SafeSharedX509NameEntryHandle nameEntry)

- -        {

- -            CheckValidOpenSslHandle(nameEntry);

- -

- -            return SafeInteriorHandle.OpenInteriorHandle(

- -                handle => GetX509NameEntryOid_private(handle),

- -                nameEntry);

- -        }

- -

- -        internal static SafeSharedAsn1StringHandle GetX509NameEntryData(SafeSharedX509NameEntryHandle nameEntry)

- -        {

- -            CheckValidOpenSslHandle(nameEntry);

- -

- -            return SafeInteriorHandle.OpenInteriorHandle(

- -                handle => GetX509NameEntryData_private(handle),

- -                nameEntry);

- -        }

- -    }

- -}

- -

- -namespace Microsoft.Win32.SafeHandles

- -{

- -    internal sealed class SafeSharedX509NameEntryHandle : SafeInteriorHandle

- -    {

- -        private SafeSharedX509NameEntryHandle() :

- -            base(IntPtr.Zero, ownsHandle: true)

- -        {

- -        }

- -    }

- -}

- diff --git a/src/Common/src/Microsoft/Win32/SafeHandles/SafeX509NameHandle.Unix.cs b/src/Common/src/Microsoft/Win32/SafeHandles/SafeX509NameHandle.Unix.cs

- deleted file mode 100644

- index ae22b92303..0000000000

- --- a/src/Common/src/Microsoft/Win32/SafeHandles/SafeX509NameHandle.Unix.cs

- +++ /dev/null

- @@ -1,30 +0,0 @@

- -// Licensed to the .NET Foundation under one or more agreements.

- -// The .NET Foundation licenses this file to you under the MIT license.

- -// See the LICENSE file in the project root for more information.

- -

- -using System;

- -using System.Security;

- -using System.Runtime.InteropServices;

- -

- -namespace Microsoft.Win32.SafeHandles

- -{

- -    internal sealed class SafeX509NameHandle : SafeHandle

- -    {

- -        private SafeX509NameHandle() :

- -            base(IntPtr.Zero, ownsHandle: true)

- -        {

- -        }

- -

- -        protected override bool ReleaseHandle()

- -        {

- -            Interop.Crypto.X509NameDestroy(handle);

- -            SetHandle(IntPtr.Zero);

- -            return true;

- -        }

- -

- -        public override bool IsInvalid

- -        {

- -            get { return handle == IntPtr.Zero; }

- -        }

- -    }

- -}

- diff --git a/src/Common/src/System/Security/Cryptography/DerSequenceReader.cs b/src/Common/src/System/Security/Cryptography/DerSequenceReader.cs

- index b68c9da093..68d9ac1bd2 100644

- --- a/src/Common/src/System/Security/Cryptography/DerSequenceReader.cs

- +++ b/src/Common/src/System/Security/Cryptography/DerSequenceReader.cs

- @@ -30,6 +30,9 @@ namespace System.Security.Cryptography

-  

-          internal static DateTimeFormatInfo s_validityDateTimeFormatInfo;

-  

- +        private static System.Text.Encoding s_utf8EncodingWithExceptionFallback;

- +        private static System.Text.Encoding s_latin1Encoding;

- +

-          private readonly byte[] _data;

-          private readonly int _end;

-          private int _position;

- @@ -383,6 +386,38 @@ namespace System.Security.Cryptography

-              return TrimTrailingNulls(ia5String);

-          }

-  

- +        internal string ReadT61String()

- +        {

- +            EatTag(DerTag.T61String);

- +            int contentLength = EatLength();

- +            string t61String;

- +

- +            // Technically the T.61 encoding (code page 20261) should be used here, but many

- +            // implementations don't follow that and use different character sets. CryptoAPI

- +            // on NetFX seems to interpret it as UTF-8 with fallback to ISO 8859-1. OpenSSL

- +            // seems to interpret it as ISO 8859-1 with no support for UTF-8.

- +            // https://github.com/dotnet/corefx/issues/27466

- +

- +            System.Text.Encoding utf8EncodingWithExceptionFallback = LazyInitializer.EnsureInitialized(

- +                ref s_utf8EncodingWithExceptionFallback,

- +                () => new UTF8Encoding(false, true));

- +            System.Text.Encoding latin1Encoding = LazyInitializer.EnsureInitialized(

- +                ref s_latin1Encoding,

- +                () => System.Text.Encoding.GetEncoding("iso-8859-1"));

- +            

- +            try

- +            {

- +                t61String = utf8EncodingWithExceptionFallback.GetString(_data, _position, contentLength);

- +            }

- +            catch (DecoderFallbackException)

- +            {

- +                t61String = latin1Encoding.GetString(_data, _position, contentLength);

- +            }

- +            _position += contentLength;

- +

- +            return TrimTrailingNulls(t61String);

- +        }

- +

-          internal DateTime ReadX509Date()

-          {

-              byte tag = PeekTag();

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_name.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_name.cpp

- index 2195b74906..02cbfee4a2 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_name.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_name.cpp

- @@ -14,6 +14,11 @@ extern "C" X509_NAME* CryptoNative_GetX509NameStackField(X509NameStack* sk, int3

-      return sk_X509_NAME_value(sk, loc);

-  }

-  

- +/*

- + * The following methods are kept around for compatiblity during servicing.

- + * They are not used.

- + */

- +

-  extern "C" X509_NAME* CryptoNative_DecodeX509Name(const uint8_t* buf, int32_t len)

-  {

-      if (!buf || !len)

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_name.h b/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_name.h

- index 76a77ccc1f..b24a794bbd 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_name.h

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_name.h

- @@ -18,6 +18,11 @@ Direct shim to sk_X509_NAME_value

-  */

-  extern "C" X509_NAME* CryptoNative_GetX509NameStackField(X509NameStack* sk, int32_t loc);

-  

- +/*

- + * The following methods are kept around for compatiblity during servicing.

- + * They are not used.

- + */

- +

-  /*

-  Shims the d2i_X509_NAME method and makes it easier to invoke from managed code.

-  */

- diff --git a/src/System.Net.Http/src/System.Net.Http.csproj b/src/System.Net.Http/src/System.Net.Http.csproj

- index 3fa7cdd26f..66e5b8d5f8 100644

- --- a/src/System.Net.Http/src/System.Net.Http.csproj

- +++ b/src/System.Net.Http/src/System.Net.Http.csproj

- @@ -530,9 +530,6 @@

-      <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\SafeX509Handles.Unix.cs">

-        <Link>Common\Microsoft\Win32\SafeHandles\SafeX509Handles.Unix.cs</Link>

-      </Compile>

- -    <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\SafeX509NameHandle.Unix.cs">

- -      <Link>Common\Microsoft\Win32\SafeHandles\SafeX509NameHandle.Unix.cs</Link>

- -    </Compile>

-      <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\X509ExtensionSafeHandles.Unix.cs">

-        <Link>Common\Microsoft\Win32\SafeHandles\X509ExtensionSafeHandles.Unix.cs</Link>

-      </Compile>

- diff --git a/src/System.Net.Security/src/System.Net.Security.csproj b/src/System.Net.Security/src/System.Net.Security.csproj

- index 9dff20160e..bf8d773a4e 100644

- --- a/src/System.Net.Security/src/System.Net.Security.csproj

- +++ b/src/System.Net.Security/src/System.Net.Security.csproj

- @@ -328,9 +328,6 @@

-      <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\SafeX509Handles.Unix.cs">

-        <Link>Common\Microsoft\Win32\SafeHandles\SafeX509Handles.Unix.cs</Link>

-      </Compile>

- -    <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\SafeX509NameHandle.Unix.cs">

- -      <Link>Common\Microsoft\Win32\SafeHandles\SafeX509NameHandle.Unix.cs</Link>

- -    </Compile>

-      <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\X509ExtensionSafeHandles.Unix.cs">

-        <Link>Common\Microsoft\Win32\SafeHandles\X509ExtensionSafeHandles.Unix.cs</Link>

-      </Compile>

- diff --git a/src/System.Security.Cryptography.Algorithms/src/System.Security.Cryptography.Algorithms.csproj b/src/System.Security.Cryptography.Algorithms/src/System.Security.Cryptography.Algorithms.csproj

- index 9b1cb26508..fbe6f4c269 100644

- --- a/src/System.Security.Cryptography.Algorithms/src/System.Security.Cryptography.Algorithms.csproj

- +++ b/src/System.Security.Cryptography.Algorithms/src/System.Security.Cryptography.Algorithms.csproj

- @@ -558,6 +558,7 @@

-      <Reference Include="System.Security.Cryptography.Encoding" />

-      <Reference Include="System.Security.Cryptography.Primitives" />

-      <Reference Include="System.Threading" />

- +    <Reference Include="System.Text.Encoding.Extensions" />

-    </ItemGroup>

-    <ItemGroup Condition="'$(TargetsUnix)' == 'true'">

-      <Reference Include="System.Runtime.Numerics" />

- diff --git a/src/System.Security.Cryptography.Encoding/src/System.Security.Cryptography.Encoding.csproj b/src/System.Security.Cryptography.Encoding/src/System.Security.Cryptography.Encoding.csproj

- index 9681ef62e4..388d4f36a6 100644

- --- a/src/System.Security.Cryptography.Encoding/src/System.Security.Cryptography.Encoding.csproj

- +++ b/src/System.Security.Cryptography.Encoding/src/System.Security.Cryptography.Encoding.csproj

- @@ -106,6 +106,7 @@

-      <Reference Include="System.Runtime.Extensions" />

-      <Reference Include="System.Runtime.InteropServices" />

-      <Reference Include="System.Security.Cryptography.Primitives" />

- +    <Reference Include="System.Text.Encoding.Extensions" />

-    </ItemGroup>

-    <ItemGroup Condition=" '$(TargetsOSX)' == 'true' ">

-      <Reference Include="System.Runtime.Numerics" />

- diff --git a/src/System.Security.Cryptography.OpenSsl/src/System.Security.Cryptography.OpenSsl.csproj b/src/System.Security.Cryptography.OpenSsl/src/System.Security.Cryptography.OpenSsl.csproj

- index 095d62bc6d..3846bcad23 100644

- --- a/src/System.Security.Cryptography.OpenSsl/src/System.Security.Cryptography.OpenSsl.csproj

- +++ b/src/System.Security.Cryptography.OpenSsl/src/System.Security.Cryptography.OpenSsl.csproj

- @@ -160,6 +160,7 @@

-      <Reference Include="System.Security.Cryptography.Algorithms" />

-      <Reference Include="System.Security.Cryptography.Encoding" />

-      <Reference Include="System.Security.Cryptography.Primitives" />

- +    <Reference Include="System.Text.Encoding.Extensions" />

-      <Reference Include="System.Threading" />

-    </ItemGroup>

-    <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), dir.targets))\dir.targets" />

- diff --git a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs

- index 094e95c20d..0285415ba3 100644

- --- a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs

- +++ b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.ManagedDecode.cs

- @@ -127,7 +127,7 @@ namespace Internal.Cryptography.Pal

-                  }

-              }

-  

- -            if (addTrailingDelimiter)

- +            if (addTrailingDelimiter && decodedName.Length > 0)

-              {

-                  decodedName.Append(dnSeparator);

-              }

- @@ -150,7 +150,7 @@ namespace Internal.Cryptography.Pal

-                  case DerSequenceReader.DerTag.UTF8String:

-                      return tavReader.ReadUtf8String();

-                  case DerSequenceReader.DerTag.T61String:

- -                    return "";

- +                    return tavReader.ReadT61String();

-                  default:

-                      throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);

-              }

- diff --git a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.OpenSslDecode.cs b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.OpenSslDecode.cs

- deleted file mode 100644

- index 0c03283475..0000000000

- --- a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.OpenSslDecode.cs

- +++ /dev/null

- @@ -1,123 +0,0 @@

- -// Licensed to the .NET Foundation under one or more agreements.

- -// The .NET Foundation licenses this file to you under the MIT license.

- -// See the LICENSE file in the project root for more information.

- -

- -using System.Text;

- -

- -using Microsoft.Win32.SafeHandles;

- -

- -namespace Internal.Cryptography.Pal

- -{

- -    internal static partial class X500NameEncoder

- -    {

- -        private static string X500DistinguishedNameDecode(

- -            byte[] encodedName,

- -            bool printOid,

- -            bool reverse,

- -            bool quoteIfNeeded,

- -            string dnSeparator,

- -            string multiValueSeparator,

- -            bool addTrailingDelimiter)

- -        {

- -            using (SafeX509NameHandle x509Name = Interop.Crypto.DecodeX509Name(encodedName, encodedName.Length))

- -            {

- -                if (x509Name.IsInvalid)

- -                {

- -                    Interop.Crypto.ErrClearError();

- -                    return "";

- -                }

- -

- -                // We need to allocate a StringBuilder to hold the data as we're building it, and there's the usual

- -                // arbitrary process of choosing a number that's "big enough" to minimize reallocations without wasting

- -                // too much space in the average case.

- -                //

- -                // So, let's look at an example of what our output might be.

- -                //

- -                // GitHub.com's SSL cert has a "pretty long" subject (partially due to the unknown OIDs):

- -                //   businessCategory=Private Organization

- -                //   1.3.6.1.4.1.311.60.2.1.3=US

- -                //   1.3.6.1.4.1.311.60.2.1.2=Delaware

- -                //   serialNumber=5157550

- -                //   street=548 4th Street

- -                //   postalCode=94107

- -                //   C=US

- -                //   ST=California

- -                //   L=San Francisco

- -                //   O=GitHub, Inc.

- -                //   CN=github.com

- -                //

- -                // Which comes out to 228 characters using OpenSSL's default pretty-print

- -                // (openssl x509 -in github.cer -text -noout)

- -                // Throw in some "maybe-I-need-to-quote-this" quotes, and a couple of extra/extra-long O/OU values

- -                // and round that up to the next programmer number, and you get that 512 should avoid reallocations

- -                // in all but the most dire of cases.

- -                StringBuilder decodedName = new StringBuilder(512);

- -                int entryCount = Interop.Crypto.GetX509NameEntryCount(x509Name);

- -                bool printSpacing = false;

- -

- -                for (int i = 0; i < entryCount; i++)

- -                {

- -                    int loc = reverse ? entryCount - i - 1 : i;

- -

- -                    using (SafeSharedX509NameEntryHandle nameEntry = Interop.Crypto.GetX509NameEntry(x509Name, loc))

- -                    {

- -                        Interop.Crypto.CheckValidOpenSslHandle(nameEntry);

- -

- -                        string thisOidValue;

- -

- -                        using (SafeSharedAsn1ObjectHandle oidHandle = Interop.Crypto.GetX509NameEntryOid(nameEntry))

- -                        {

- -                            thisOidValue = Interop.Crypto.GetOidValue(oidHandle);

- -                        }

- -

- -                        if (printSpacing)

- -                        {

- -                            decodedName.Append(dnSeparator);

- -                        }

- -                        else

- -                        {

- -                            printSpacing = true;

- -                        }

- -

- -                        if (printOid)

- -                        {

- -                            AppendOid(decodedName, thisOidValue);

- -                        }

- -

- -                        string rdnValue;

- -

- -                        using (SafeSharedAsn1StringHandle valueHandle = Interop.Crypto.GetX509NameEntryData(nameEntry))

- -                        {

- -                            rdnValue = Interop.Crypto.Asn1StringToManagedString(valueHandle);

- -                        }

- -

- -                        bool quote = quoteIfNeeded && NeedsQuoting(rdnValue);

- -

- -                        if (quote)

- -                        {

- -                            decodedName.Append('"');

- -

- -                            // If the RDN itself had a quote within it, that quote needs to be escaped

- -                            // with another quote.

- -                            rdnValue = rdnValue.Replace("\"", "\"\"");

- -                        }

- -

- -                        decodedName.Append(rdnValue);

- -

- -                        if (quote)

- -                        {

- -                            decodedName.Append('"');

- -                        }

- -                    }

- -                }

- -

- -                if (addTrailingDelimiter)

- -                {

- -                    decodedName.Append(dnSeparator);

- -                }

- -

- -                return decodedName.ToString();

- -            }

- -        }

- -    }

- -}

- diff --git a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.cs b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.cs

- index 56da9ae40c..005e09abe3 100644

- --- a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.cs

- +++ b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/X500NameEncoder.cs

- @@ -40,7 +40,7 @@ namespace Internal.Cryptography.Pal

-              byte[] encodedName,

-              bool printOid,

-              X500DistinguishedNameFlags flags,

- -            bool addTrailingDelimieter=false)

- +            bool addTrailingDelimiter = false)

-          {

-              bool reverse = (flags & X500DistinguishedNameFlags.Reversed) == X500DistinguishedNameFlags.Reversed;

-              bool quoteIfNeeded = (flags & X500DistinguishedNameFlags.DoNotUseQuotes) != X500DistinguishedNameFlags.DoNotUseQuotes;

- @@ -51,7 +51,8 @@ namespace Internal.Cryptography.Pal

-              {

-                  dnSeparator = "; ";

-              }

- -            else if ((flags & X500DistinguishedNameFlags.UseNewLines) == X500DistinguishedNameFlags.UseNewLines)

- +            // Explicit UseCommas has preference over explicit UseNewLines.

- +            else if ((flags & (X500DistinguishedNameFlags.UseNewLines | X500DistinguishedNameFlags.UseCommas)) == X500DistinguishedNameFlags.UseNewLines)

-              {

-                  dnSeparator = Environment.NewLine;

-              }

- @@ -73,7 +74,7 @@ namespace Internal.Cryptography.Pal

-                      quoteIfNeeded,

-                      dnSeparator,

-                      multiValueSparator,

- -                    addTrailingDelimieter);

- +                    addTrailingDelimiter);

-              }

-              catch (CryptographicException)

-              {

- diff --git a/src/System.Security.Cryptography.X509Certificates/src/System.Security.Cryptography.X509Certificates.csproj b/src/System.Security.Cryptography.X509Certificates/src/System.Security.Cryptography.X509Certificates.csproj

- index 20b0328943..3bdef009b9 100644

- --- a/src/System.Security.Cryptography.X509Certificates/src/System.Security.Cryptography.X509Certificates.csproj

- +++ b/src/System.Security.Cryptography.X509Certificates/src/System.Security.Cryptography.X509Certificates.csproj

- @@ -169,7 +169,6 @@

-      <Compile Include="Internal\Cryptography\Pal.Unix\PkcsFormatReader.cs" />

-      <Compile Include="Internal\Cryptography\Pal.Unix\SingleCertLoader.cs" />

-      <Compile Include="Internal\Cryptography\Pal.Unix\StorePal.cs" />

- -    <Compile Include="Internal\Cryptography\Pal.Unix\X500NameEncoder.OpenSslDecode.cs" />

-      <Compile Include="Internal\Cryptography\Pal.Unix\X509Pal.cs" />

-      <Compile Include="Internal\Cryptography\Pal.Unix\X509Persistence.cs" />

-      <Compile Include="$(CommonPath)\Interop\Unix\Interop.Libraries.cs">

- @@ -223,9 +222,6 @@

-      <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.X509Name.cs">

-        <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.X509Name.cs</Link>

-      </Compile>

- -    <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.X509NameEntry.cs">

- -      <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.X509NameEntry.cs</Link>

- -    </Compile>

-      <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.X509Stack.cs">

-        <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.X509Stack.cs</Link>

-      </Compile>

- @@ -274,9 +270,6 @@

-      <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\SafeX509Handles.Unix.cs">

-        <Link>Common\Microsoft\Win32\SafeHandles\SafeX509Handles.Unix.cs</Link>

-      </Compile>

- -    <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\SafeX509NameHandle.Unix.cs">

- -      <Link>Common\Microsoft\Win32\SafeHandles\SafeX509NameHandle.Unix.cs</Link>

- -    </Compile>

-      <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\X509ExtensionSafeHandles.Unix.cs">

-        <Link>Common\Microsoft\Win32\SafeHandles\X509ExtensionSafeHandles.Unix.cs</Link>

-      </Compile>

- @@ -390,7 +383,6 @@

-      <Compile Include="Internal\Cryptography\Pal.OSX\StorePal.ExportPal.cs" />

-      <Compile Include="Internal\Cryptography\Pal.OSX\StorePal.LoaderPal.cs" />

-      <Compile Include="Internal\Cryptography\Pal.OSX\X509Pal.cs" />

- -    <Compile Include="Internal\Cryptography\Pal.Unix\X500NameEncoder.ManagedDecode.cs" />

-    </ItemGroup>

-    <ItemGroup Condition=" '$(TargetsUnix)' == 'true'">

-      <Compile Include="Internal\Cryptography\Pal.Unix\CertificatePolicy.cs" />

- @@ -398,6 +390,7 @@

-      <Compile Include="Internal\Cryptography\Pal.Unix\ManagedCertificateFinder.cs" />

-      <Compile Include="Internal\Cryptography\Pal.Unix\ManagedX509ExtensionProcessor.cs" />

-      <Compile Include="Internal\Cryptography\Pal.Unix\X500NameEncoder.cs" />

- +    <Compile Include="Internal\Cryptography\Pal.Unix\X500NameEncoder.ManagedDecode.cs" />

-    </ItemGroup>

-    <ItemGroup>

-      <Reference Include="System.Buffers" />

- @@ -417,6 +410,7 @@

-      <Reference Include="System.Security.Cryptography.Algorithms" />

-      <Reference Include="System.Security.Cryptography.Encoding" />

-      <Reference Include="System.Security.Cryptography.Primitives" />

- +    <Reference Include="System.Text.Encoding.Extensions" />

-      <Reference Include="System.Threading" />

-    </ItemGroup>

-    <ItemGroup Condition="'$(TargetsWindows)' == 'true'">

- diff --git a/src/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs b/src/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs

- index 027823ffbd..95ac1ed519 100644

- --- a/src/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs

- +++ b/src/System.Security.Cryptography.X509Certificates/tests/X500DistinguishedNameTests.cs

- @@ -126,6 +126,16 @@ namespace System.Security.Cryptography.X509Certificates.Tests

-  

-              Assert.Equal(notQuoted, dn.Decode(X500DistinguishedNameFlags.DoNotUseQuotes));

-          }

- +        

- +        [Theory]

- +        [MemberData(nameof(T61Cases))]

- +        public static void T61Strings(string expected, string hexEncoded)

- +        {

- +            byte[] encoded = hexEncoded.HexToByteArray();

- +            X500DistinguishedName dn = new X500DistinguishedName(encoded);

- +

- +            Assert.Equal(expected, dn.Name);

- +        }

-  

-          [Fact]

-          public static void PrintComplexReversed()

- @@ -158,6 +168,22 @@ namespace System.Security.Cryptography.X509Certificates.Tests

-              Assert.EndsWith(expected, dn.Decode(X500DistinguishedNameFlags.None), StringComparison.Ordinal);

-          }

-  

- +        [Fact]

- +        public static void EdgeCaseEmptyFormat()

- +        {

- +            X500DistinguishedName dn = new X500DistinguishedName("");

- +            Assert.Equal(String.Empty, dn.Format(true));

- +            Assert.Equal(String.Empty, dn.Format(false));

- +        }

- +

- +        [Fact]

- +        public static void EdgeCaseUseCommaAndNewLines()

- +        {

- +            const string rname = "C=US, O=\"RSA Data Security, Inc.\", OU=Secure Server Certification Authority";

- +            X500DistinguishedName dn = new X500DistinguishedName(rname, X500DistinguishedNameFlags.None);

- +            Assert.Equal(rname, dn.Decode(X500DistinguishedNameFlags.UseCommas | X500DistinguishedNameFlags.UseNewLines));

- +        }

- +

-          public static readonly object[][] WhitespaceBeforeCases =

-          {

-              // Regular space.

- @@ -386,6 +412,49 @@ namespace System.Security.Cryptography.X509Certificates.Tests

-              },

-          };

-  

- +        public static readonly object[][] T61Cases =

- +        {

- +            // https://github.com/dotnet/corefx/issues/27466

- +            new object[]

- +            {

- +                "CN=GrapeCity inc., OU=Tools Development, O=GrapeCity inc., " +

- +                "L=Sendai Izumi-ku, S=Miyagi, C=JP",

- +                "308186310b3009060355040613024a50310f300d060355040813064d69796167" +

- +                "69311830160603550407130f53656e64616920497a756d692d6b753117301506" +

- +                "0355040a140e47726170654369747920696e632e311a3018060355040b141154" +

- +                "6f6f6c7320446576656c6f706d656e74311730150603550403140e4772617065" +

- +                "4369747920696e632e"

- +            },

- +

- +            // Mono test case taken from old bug report

- +            new object[]

- +            {

- +                "SERIALNUMBER=CVR:13471967-UID:121212121212, E=vhm@use.test.dk, " +

- +                "CN=Hedeby's M\u00f8belhandel - Salgsafdelingen, " + 

- +                "O=Hedeby's M\u00f8belhandel // CVR:13471967, C=DK",

- +                "3081B5310B300906035504061302444B312D302B060355040A14244865646562" +

- +                "792773204DF862656C68616E64656C202F2F204356523A313334373139363731" +

- +                "2F302D060355040314264865646562792773204DF862656C68616E64656C202D" +

- +                "2053616C6773616664656C696E67656E311E301C06092A864886F70D01090116" +

- +                "0F76686D407573652E746573742E646B312630240603550405131D4356523A31" +

- +                "333437313936372D5549443A313231323132313231323132"

- +            },

- +

- +            // Valid UTF-8 string is interpreted as UTF-8

- +            new object[]

- +            {

- +                "C=\u00a2",

- +                "300D310B300906035504061402C2A2"

- +            },

- +

- +            // Invalid UTF-8 string with valid UTF-8 sequence is interpreted as ISO 8859-1

- +            new object[]

- +            {

- +                "L=\u00c2\u00a2\u00f8",

- +                "300E310C300A06035504071403C2A2F8"

- +            },

- +        };

- +

-          private const string MicrosoftDotComSubject =

-              "3082010F31133011060B2B0601040182373C02010313025553311B3019060B2B" +

-              "0601040182373C0201020C0A57617368696E67746F6E311D301B060355040F13" +

- -- 

- 2.20.1

- 

@@ -1,355 +0,0 @@ 

- From 3fd578c3ccea681efd14aea07a0364b3baa3cca7 Mon Sep 17 00:00:00 2001

- From: Filip Navara <filip.navara@gmail.com>

- Date: Mon, 9 Jul 2018 19:08:50 +0200

- Subject: [PATCH 2/7] Drop pal_asn1_print in favor of the managed code

- 

- * Drop pal_asn1_print in favor of the managed code that is already used on macOS.

- 

- * Add handling of T61 strings to ManagedCertificateFinder.DerStringToManagedString.

- ---

-  .../Interop.ASN1.Print.cs                     | 144 ------------------

-  .../Win32/SafeHandles/Asn1SafeHandles.Unix.cs |  28 ----

-  .../pal_asn1_print.cpp                        |   5 +

-  .../pal_asn1_print.h                          |   5 +

-  .../Internal/Cryptography/Pal.OSX/FindPal.cs  |  28 ----

-  .../Pal.Unix/ManagedCertificateFinder.cs      |  31 +++-

-  .../Pal.Unix/OpenSslCertificateFinder.cs      |   5 -

-  ...urity.Cryptography.X509Certificates.csproj |   3 -

-  8 files changed, 40 insertions(+), 209 deletions(-)

-  delete mode 100644 src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.ASN1.Print.cs

- 

- diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.ASN1.Print.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.ASN1.Print.cs

- deleted file mode 100644

- index 12199563c8..0000000000

- --- a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.ASN1.Print.cs

- +++ /dev/null

- @@ -1,144 +0,0 @@

- -// Licensed to the .NET Foundation under one or more agreements.

- -// The .NET Foundation licenses this file to you under the MIT license.

- -// See the LICENSE file in the project root for more information.

- -

- -using System;

- -using System.Runtime.InteropServices;

- -using System.Text;

- -using Microsoft.Win32.SafeHandles;

- -

- -internal static partial class Interop

- -{

- -    internal static partial class Crypto

- -    {

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_DecodeAsn1TypeBytes")]

- -        private static extern SafeAsn1StringHandle DecodeAsn1TypeBytes(byte[] buf, int len, Asn1StringTypeFlags flags);

- -

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_Asn1StringPrintEx")]

- -        private static extern int Asn1StringPrintEx(SafeBioHandle bio, SafeAsn1StringHandle str, Asn1StringPrintFlags flags);

- -

- -        [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_Asn1StringPrintEx")]

- -        private static extern int Asn1StringPrintEx(SafeBioHandle bio, SafeSharedAsn1StringHandle str, Asn1StringPrintFlags flags);

- -

- -        internal static string DerStringToManagedString(byte[] derString)

- -        {

- -            SafeAsn1StringHandle asn1String = DecodeAsn1TypeBytes(derString, derString.Length, AnyTextStringType);

- -

- -            if (asn1String.IsInvalid)

- -            {

- -                Interop.Crypto.ErrClearError();

- -                return null;

- -            }

- -

- -            using (asn1String)

- -            {

- -                return Asn1StringToManagedString(

- -                    asn1String,

- -                    (bio, str, flags) => Asn1StringPrintEx(bio, str, flags));

- -            }

- -        }

- -

- -        internal static string Asn1StringToManagedString(SafeSharedAsn1StringHandle asn1String)

- -        {

- -            CheckValidOpenSslHandle(asn1String);

- -

- -            return Asn1StringToManagedString(

- -                asn1String,

- -                (bio, str, flags) => Asn1StringPrintEx(bio, str, flags));

- -        }

- -

- -        private static string Asn1StringToManagedString<THandle>(

- -            THandle asn1String,

- -            Func<SafeBioHandle, THandle, Asn1StringPrintFlags, int> asn1StringPrintEx)

- -        {

- -            byte[] utf8Bytes;

- -

- -            using (SafeBioHandle bio = CreateMemoryBio())

- -            {

- -                CheckValidOpenSslHandle(bio);

- -                

- -                int len = asn1StringPrintEx(bio, asn1String, Asn1StringPrintFlags.ASN1_STRFLGS_UTF8_CONVERT);

- -

- -                if (len < 0)

- -                {

- -                    throw CreateOpenSslCryptographicException();

- -                }

- -

- -                if (len == 0)

- -                {

- -                    return "";

- -                }

- -

- -                int bioSize = GetMemoryBioSize(bio);

- -                utf8Bytes = new byte[bioSize + 1];

- -

- -                int read = BioRead(bio, utf8Bytes, utf8Bytes.Length);

- -

- -                if (read < 0)

- -                {

- -                    throw CreateOpenSslCryptographicException();

- -                }

- -            }

- -

- -            int nonNullCount = utf8Bytes.Length;

- -

- -            if (utf8Bytes[utf8Bytes.Length - 1] == 0)

- -            {

- -                for (int i = utf8Bytes.Length - 1; i >= 0; i--)

- -                {

- -                    if (utf8Bytes[i] != 0)

- -                    {

- -                        break;

- -                    }

- -

- -                    nonNullCount = i;

- -                }

- -            }

- -

- -            return Encoding.UTF8.GetString(utf8Bytes, 0, nonNullCount);

- -        }

- -

- -        [Flags]

- -        private enum Asn1StringPrintFlags : ulong

- -        {

- -            ASN1_STRFLGS_UTF8_CONVERT = 0x10,

- -        }

- -

- -        [Flags]

- -        private enum Asn1StringTypeFlags

- -        {

- -            B_ASN1_NUMERICSTRING = 0x0001,

- -            B_ASN1_PRINTABLESTRING = 0x0002,

- -            B_ASN1_T61STRING = 0x0004,

- -            B_ASN1_VIDEOTEXSTRING = 0x0008,

- -            B_ASN1_IA5STRING = 0x0010,

- -            B_ASN1_GRAPHICSTRING = 0x0020,

- -            B_ASN1_VISIBLESTRING = 0x0040,

- -            B_ASN1_GENERALSTRING = 0x0080,

- -            B_ASN1_UNIVERSALSTRING = 0x0100,

- -            B_ASN1_OCTET_STRING = 0x0200,

- -            B_ASN1_BIT_STRING = 0x0400,

- -            B_ASN1_BMPSTRING = 0x0800,

- -            B_ASN1_UNKNOWN = 0x1000,

- -            B_ASN1_UTF8STRING = 0x2000,

- -            B_ASN1_UTCTIME = 0x4000,

- -            B_ASN1_GENERALIZEDTIME = 0x8000,

- -            B_ASN1_SEQUENCE = 0x10000,

- -        }

- -

- -        private const Asn1StringTypeFlags AnyTextStringType =

- -            Asn1StringTypeFlags.B_ASN1_NUMERICSTRING |

- -            Asn1StringTypeFlags.B_ASN1_PRINTABLESTRING |

- -            Asn1StringTypeFlags.B_ASN1_T61STRING |

- -            Asn1StringTypeFlags.B_ASN1_VIDEOTEXSTRING |

- -            Asn1StringTypeFlags.B_ASN1_IA5STRING |

- -            Asn1StringTypeFlags.B_ASN1_GRAPHICSTRING |

- -            Asn1StringTypeFlags.B_ASN1_VISIBLESTRING |

- -            Asn1StringTypeFlags.B_ASN1_GENERALSTRING |

- -            Asn1StringTypeFlags.B_ASN1_UNIVERSALSTRING |

- -            Asn1StringTypeFlags.B_ASN1_BMPSTRING |

- -            Asn1StringTypeFlags.B_ASN1_UTF8STRING |

- -            Asn1StringTypeFlags.B_ASN1_UTCTIME |

- -            Asn1StringTypeFlags.B_ASN1_GENERALIZEDTIME;

- -    }

- -}

- diff --git a/src/Common/src/Microsoft/Win32/SafeHandles/Asn1SafeHandles.Unix.cs b/src/Common/src/Microsoft/Win32/SafeHandles/Asn1SafeHandles.Unix.cs

- index 3fdde3f602..ddf413110c 100644

- --- a/src/Common/src/Microsoft/Win32/SafeHandles/Asn1SafeHandles.Unix.cs

- +++ b/src/Common/src/Microsoft/Win32/SafeHandles/Asn1SafeHandles.Unix.cs

- @@ -68,34 +68,6 @@ namespace Microsoft.Win32.SafeHandles

-          }

-      }

-  

- -    internal sealed class SafeAsn1StringHandle : SafeHandle

- -    {

- -        private SafeAsn1StringHandle() :

- -            base(IntPtr.Zero, ownsHandle: true)

- -        {

- -        }

- -

- -        protected override bool ReleaseHandle()

- -        {

- -            Interop.Crypto.Asn1StringFree(handle);

- -            SetHandle(IntPtr.Zero);

- -            return true;

- -        }

- -

- -        public override bool IsInvalid

- -        {

- -            get { return handle == IntPtr.Zero; }

- -        }

- -    }

- -

- -    internal sealed class SafeSharedAsn1StringHandle : SafeInteriorHandle

- -    {

- -        private SafeSharedAsn1StringHandle() :

- -            base(IntPtr.Zero, ownsHandle: true)

- -        {

- -        }

- -    }

- -

-      internal sealed class SafeSharedAsn1IntegerHandle : SafeInteriorHandle

-      {

-          private SafeSharedAsn1IntegerHandle() :

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.cpp

- index ffbfef980d..01a544f5e9 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.cpp

- @@ -4,6 +4,11 @@

-  

-  #include "pal_asn1_print.h"

-  

- +/*

- + * This file is completely unused. It's kept around for compatiblity between

- + * servicing updates.

- + */

- +

-  static_assert(PAL_B_ASN1_NUMERICSTRING == B_ASN1_NUMERICSTRING, "");

-  static_assert(PAL_B_ASN1_PRINTABLESTRING == B_ASN1_PRINTABLESTRING, "");

-  static_assert(PAL_B_ASN1_T61STRING == B_ASN1_T61STRING, "");

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.h b/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.h

- index 982506e420..71205cc13c 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.h

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.h

- @@ -5,6 +5,11 @@

-  #include "pal_types.h"

-  #include "opensslshim.h"

-  

- +/*

- + * This file is completely unused. It's kept around for compatiblity between

- + * servicing updates.

- + */

- +

-  /*

-  Flags for the 'type' parameter of CryptoNative_DecodeAsn1TypeBytes.

-  */

- diff --git a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/FindPal.cs b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/FindPal.cs

- index b2d2846c1a..e66bad7e76 100644

- --- a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/FindPal.cs

- +++ b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/FindPal.cs

- @@ -22,34 +22,6 @@ namespace Internal.Cryptography.Pal

-              {

-              }

-  

- -            protected override string DerStringToManagedString(byte[] anyString)

- -            {

- -                DerSequenceReader reader = DerSequenceReader.CreateForPayload(anyString);

- -

- -                var tag = (DerSequenceReader.DerTag)reader.PeekTag();

- -                string value = null;

- -

- -                switch (tag)

- -                {

- -                    case DerSequenceReader.DerTag.BMPString:

- -                        value = reader.ReadBMPString();

- -                        break;

- -                    case DerSequenceReader.DerTag.IA5String:

- -                        value = reader.ReadIA5String();

- -                        break;

- -                    case DerSequenceReader.DerTag.PrintableString:

- -                        value = reader.ReadPrintableString();

- -                        break;

- -                    case DerSequenceReader.DerTag.UTF8String:

- -                        value = reader.ReadUtf8String();

- -                        break;

- -

- -                    // Ignore anything we don't know how to read.

- -                }

- -

- -                return value;

- -            }

- -

-              protected override byte[] GetSubjectPublicKeyInfo(X509Certificate2 cert)

-              {

-                  AppleCertificatePal pal = (AppleCertificatePal)cert.Pal;

- diff --git a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/ManagedCertificateFinder.cs b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/ManagedCertificateFinder.cs

- index ebc5ee48d1..a70bf1488d 100644

- --- a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/ManagedCertificateFinder.cs

- +++ b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/ManagedCertificateFinder.cs

- @@ -123,7 +123,36 @@ namespace Internal.Cryptography.Pal

-              FindCore(cert => cert.NotAfter < normalized);

-          }

-  

- -        protected abstract string DerStringToManagedString(byte[] anyString);

- +        private string DerStringToManagedString(byte[] anyString)

- +        {

- +            DerSequenceReader reader = DerSequenceReader.CreateForPayload(anyString);

- +

- +            var tag = (DerSequenceReader.DerTag)reader.PeekTag();

- +            string value = null;

- +

- +            switch (tag)

- +            {

- +                case DerSequenceReader.DerTag.BMPString:

- +                    value = reader.ReadBMPString();

- +                    break;

- +                case DerSequenceReader.DerTag.IA5String:

- +                    value = reader.ReadIA5String();

- +                    break;

- +                case DerSequenceReader.DerTag.PrintableString:

- +                    value = reader.ReadPrintableString();

- +                    break;

- +                case DerSequenceReader.DerTag.UTF8String:

- +                    value = reader.ReadUtf8String();

- +                    break;

- +                case DerSequenceReader.DerTag.T61String:

- +                    value = reader.ReadT61String();

- +                    break;

- +

- +                // Ignore anything we don't know how to read.

- +            }

- +

- +            return value;

- +        }

-  

-          public void FindByTemplateName(string templateName)

-          {

- diff --git a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/OpenSslCertificateFinder.cs b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/OpenSslCertificateFinder.cs

- index 720c298994..717ee3753b 100644

- --- a/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/OpenSslCertificateFinder.cs

- +++ b/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Unix/OpenSslCertificateFinder.cs

- @@ -13,11 +13,6 @@ namespace Internal.Cryptography.Pal

-          {

-          }

-  

- -        protected override string DerStringToManagedString(byte[] anyString)

- -        {

- -            return Interop.Crypto.DerStringToManagedString(anyString);

- -        }

- -

-          protected override byte[] GetSubjectPublicKeyInfo(X509Certificate2 cert)

-          {

-              OpenSslX509CertificateReader certPal = (OpenSslX509CertificateReader)cert.Pal;

- diff --git a/src/System.Security.Cryptography.X509Certificates/src/System.Security.Cryptography.X509Certificates.csproj b/src/System.Security.Cryptography.X509Certificates/src/System.Security.Cryptography.X509Certificates.csproj

- index 3bdef009b9..5d9e22a7f3 100644

- --- a/src/System.Security.Cryptography.X509Certificates/src/System.Security.Cryptography.X509Certificates.csproj

- +++ b/src/System.Security.Cryptography.X509Certificates/src/System.Security.Cryptography.X509Certificates.csproj

- @@ -186,9 +186,6 @@

-      <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.ASN1.GetIntegerBytes.cs">

-        <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.ASN1.GetIntegerBytes.cs</Link>

-      </Compile>

- -    <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.ASN1.Print.cs">

- -      <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.ASN1.Print.cs</Link>

- -    </Compile>

-      <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.Bignum.cs">

-        <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.Bignum.cs</Link>

-      </Compile>

- -- 

- 2.20.1

- 

@@ -1,3594 +0,0 @@ 

- From e4bcbd5885e93ea4620103efc303c9b61982851b Mon Sep 17 00:00:00 2001

- From: Jeremy Barton <jbarton@microsoft.com>

- Date: Tue, 4 Sep 2018 12:53:06 -0700

- Subject: [PATCH 3/7] Add hybrid support for OpenSSL 1.0 and 1.1

- 

- This changes the functional code to use OpenSSL 1.1 API in the places where the API changed. "apibridge" provides equivalent methods for the OpenSSL 1.0 environment.

- 

- The following configurations have been tested:

- 

- * Non-portable against OpenSSL 1.0

- * Non-portable against OpenSSL 1.1

- * Portable, built against OpenSSL 1.0 and run against OpenSSL 1.0

- * Portable, built against OpenSSL 1.0 and run against OpenSSL 1.1

- * Portable, built against OpenSSL 1.1 and run against OpenSSL 1.0

- * Portable, built against OpenSSL 1.1 and run against OpenSSL 1.1

- 

- In opensslshim, the PER_FUNCTION_BLOCK macro style has been broken up into a named purposes:

- 

- * REQUIRED_FUNCTION(fn)

-   * API that we use unconditionally, regardless of version

-   * Formerly PER_FUNCTION_BLOCK(fn, true)

- * NEW_REQUIRED_FUNCTION(fn)

-   * API that we use unconditionally in paths that only exist against OpenSSL 1.1, is not probed for when the runtime is 1.0

- * LIGHTUP_FUNCTION(fn)

-   * API that might not exist, must be probed with API_EXISTS checks before being utilized

-   * Formerly PER_FUNCTION_BLOCK(fn, false)

- * FALLBACK_FUNCTION(fn)

-   * API that is required on OpenSSL 1.1, and when not found will bind to a method named local_#fn in the shim library

- * RENAMED_FUNCTION(fn,oldfn)

-   * Handles a rename with no signature change from oldfn to newfn, binds appropriately based on the runtime library.

- * LEGACY_FUNCTION(fn)

-   * API that we use unconditionally in paths that only exist against OpenSSL 1.0, is not probed for when the runtime is 1.1.

- 

- Two new #defines are available, but ideally need no further usage:

- 

- * NEED_OPENSSL_1_0

-   * Defined when building portable, or on non-portable when the headers are OpenSSL 1.0

- * NEED_OPENSSL_1_1

-   * Defined when building portable, or on non-portable when the headers are OpenSSL 1.1

- ---

-  .../SafeHandles/SafeEvpPKeyHandle.Unix.cs     |   7 +-

-  .../CMakeLists.txt                            |   3 +-

-  .../apibridge.cpp                             | 524 ++++++++++

-  .../apibridge.h                               |  45 +

-  .../configure.cmake                           |   5 -

-  .../openssl.cpp                               | 199 ++--

-  .../openssl.h                                 |  11 +

-  .../openssl_1_0_structs.h                     | 139 +++

-  .../opensslshim.cpp                           |  60 +-

-  .../opensslshim.h                             | 928 ++++++++++++------

-  .../pal_asn1.cpp                              |   2 +-

-  .../pal_asn1.h                                |   2 +-

-  .../pal_asn1_print.cpp                        |   9 +-

-  .../pal_crypto_config.h.in                    |   2 -

-  .../pal_dsa.cpp                               | 123 ++-

-  .../pal_dsa.h                                 |  10 +-

-  .../pal_evp.cpp                               |   6 +-

-  .../pal_evp_cipher.cpp                        |  26 +-

-  .../pal_evp_pkey.cpp                          |   2 +-

-  .../pal_hmac.cpp                              |  12 +-

-  .../pal_hmac.h                                |   1 -

-  .../pal_rsa.cpp                               | 158 +--

-  .../pal_rsa.h                                 |  16 +-

-  .../pal_ssl.cpp                               | 144 ++-

-  .../pal_x509.cpp                              |  16 +-

-  .../pal_x509_root.cpp                         |   1 +

-  .../Internal/Cryptography/OpenSslCipher.cs    |  19 +

-  27 files changed, 1878 insertions(+), 592 deletions(-)

-  create mode 100644 src/Native/Unix/System.Security.Cryptography.Native/apibridge.cpp

-  create mode 100644 src/Native/Unix/System.Security.Cryptography.Native/apibridge.h

-  create mode 100644 src/Native/Unix/System.Security.Cryptography.Native/openssl.h

-  create mode 100644 src/Native/Unix/System.Security.Cryptography.Native/openssl_1_0_structs.h

- 

- diff --git a/src/Common/src/Microsoft/Win32/SafeHandles/SafeEvpPKeyHandle.Unix.cs b/src/Common/src/Microsoft/Win32/SafeHandles/SafeEvpPKeyHandle.Unix.cs

- index c706b1ce88..e51a7ca981 100644

- --- a/src/Common/src/Microsoft/Win32/SafeHandles/SafeEvpPKeyHandle.Unix.cs

- +++ b/src/Common/src/Microsoft/Win32/SafeHandles/SafeEvpPKeyHandle.Unix.cs

- @@ -52,12 +52,9 @@ namespace System.Security.Cryptography

-              // that we don't lose a tracked reference in low-memory situations.

-              SafeEvpPKeyHandle safeHandle = new SafeEvpPKeyHandle();

-  

- -            int newRefCount = Interop.Crypto.UpRefEvpPkey(this);

- +            int success = Interop.Crypto.UpRefEvpPkey(this);

-  

- -            // UpRefEvpPkey returns the number of references to this key, if it's less than 2

- -            // (the incoming handle, and this one) then someone has already Disposed() this key

- -            // into non-existence.

- -            if (newRefCount < 2)

- +            if (success != 1)

-              {

-                  Debug.Fail("Called UpRefEvpPkey on a key which was already marked for destruction");

-                  throw Interop.Crypto.CreateOpenSslCryptographicException();

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/CMakeLists.txt b/src/Native/Unix/System.Security.Cryptography.Native/CMakeLists.txt

- index 352f456d07..9fef63fda8 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/CMakeLists.txt

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/CMakeLists.txt

- @@ -6,7 +6,7 @@ set(CMAKE_INCLUDE_CURRENT_DIR ON)

-  # These are happening inside of OpenSSL-defined macros out of our control

-  add_compile_options(-Wno-cast-align)

-  

- -add_definitions(-DPIC=1)

- +add_definitions(-DPIC=1 -DOPENSSL_API_COMPAT=0x10100000L)

-  

-  if(CMAKE_STATIC_LIB_LINK)

-     set(CMAKE_FIND_LIBRARY_SUFFIXES .a)

- @@ -16,6 +16,7 @@ find_package(OpenSSL REQUIRED)

-  include_directories(SYSTEM ${OPENSSL_INCLUDE_DIR})

-  

-  set(NATIVECRYPTO_SOURCES

- +    apibridge.cpp

-      openssl.cpp

-      pal_asn1.cpp

-      pal_asn1_print.cpp

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/apibridge.cpp b/src/Native/Unix/System.Security.Cryptography.Native/apibridge.cpp

- new file mode 100644

- index 0000000000..fd43051c3f

- --- /dev/null

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/apibridge.cpp

- @@ -0,0 +1,524 @@

- +// Licensed to the .NET Foundation under one or more agreements.

- +// The .NET Foundation licenses this file to you under the MIT license.

- +// See the LICENSE file in the project root for more information.

- +

- +#include "opensslshim.h"

- +#include "pal_crypto_types.h"

- +#include "pal_types.h"

- +

- +#ifdef NEED_OPENSSL_1_0

- +

- +#include "apibridge.h"

- +

- +// Minimally define the structs from 1.0.x which went opaque in 1.1.0 for the

- +// portable build building against the 1.1.x headers

- +#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_1_1_0_RTM

- +#include "openssl_1_0_structs.h"

- +

- +#define CRYPTO_LOCK_X509 3

- +#define CRYPTO_LOCK_EVP_PKEY 10

- +

- +#define SSL_CTRL_GET_SESSION_REUSED 8

- +#define SSL_CTRL_OPTIONS 32

- +

- +#define SSL_ST_OK 3

- +#endif

- +

- +extern "C" const ASN1_TIME* local_X509_get0_notBefore(const X509* x509)

- +{

- +    if (x509 && x509->cert_info && x509->cert_info->validity)

- +    {

- +        return x509->cert_info->validity->notBefore;

- +    }

- +

- +    return nullptr;

- +}

- +

- +extern "C" const ASN1_TIME* local_X509_get0_notAfter(const X509* x509)

- +{

- +    if (x509 && x509->cert_info && x509->cert_info->validity)

- +    {

- +        return x509->cert_info->validity->notAfter;

- +    }

- +

- +    return nullptr;

- +}

- +

- +extern "C" const ASN1_TIME* local_X509_CRL_get0_nextUpdate(const X509_CRL* crl)

- +{

- +    if (crl && crl->crl)

- +    {

- +        return crl->crl->nextUpdate;

- +    }

- +

- +    return nullptr;

- +}

- +

- +extern "C" int32_t local_X509_get_version(const X509* x509)

- +{

- +    if (x509 && x509->cert_info)

- +    {

- +        long ver = ASN1_INTEGER_get(x509->cert_info->version);

- +        return (int32_t)ver;

- +    }

- +

- +    return -1;

- +}

- +

- +extern "C" X509_PUBKEY* local_X509_get_X509_PUBKEY(const X509* x509)

- +{

- +    if (x509)

- +    {

- +        return x509->cert_info->key;

- +    }

- +

- +    return nullptr;

- +}

- +

- +extern "C" int32_t local_X509_PUBKEY_get0_param(

- +    ASN1_OBJECT** palgOid, const uint8_t** pkeyBytes, int* pkeyBytesLen, X509_ALGOR** palg, X509_PUBKEY* pubkey)

- +{

- +    if (palgOid)

- +    {

- +        *palgOid = pubkey->algor->algorithm;

- +    }

- +

- +    if (pkeyBytes)

- +    {

- +        *pkeyBytes = pubkey->public_key->data;

- +        *pkeyBytesLen = pubkey->public_key->length;

- +    }

- +

- +    if (palg)

- +    {

- +        *palg = pubkey->algor;

- +    }

- +

- +    return 1;

- +}

- +

- +extern "C" const X509_ALGOR* local_X509_get0_tbs_sigalg(const X509* x509)

- +{

- +    if (x509 && x509->cert_info)

- +    {

- +        return x509->cert_info->signature;

- +    }

- +

- +    return nullptr;

- +}

- +

- +extern "C" ASN1_BIT_STRING* local_X509_get0_pubkey_bitstr(const X509* x509)

- +{

- +    if (x509 && x509->cert_info && x509->cert_info->key)

- +    {

- +        return x509->cert_info->key->public_key;

- +    }

- +

- +    return nullptr;

- +}

- +

- +extern "C" int32_t local_X509_NAME_get0_der(X509_NAME* x509Name, const uint8_t** pder, size_t* pderlen)

- +{

- +    if (!x509Name || !x509Name->bytes)

- +    {

- +        return 0;

- +    }

- +

- +    if (pder)

- +    {

- +        *pder = (unsigned char*)x509Name->bytes->data;

- +    }

- +

- +    if (pderlen)

- +    {

- +        *pderlen = x509Name->bytes->length;

- +    }

- +

- +    return 1;

- +}

- +

- +#ifndef SSLEAY_VERSION

- +#define SSLEAY_VERSION 0

- +#endif

- +

- +extern "C" const char* local_OpenSSL_version(int t)

- +{

- +    (void)t;

- +    return SSLeay_version(SSLEAY_VERSION);

- +}

- +

- +extern "C" const DSA_METHOD* local_DSA_get_method(const DSA* dsa)

- +{

- +    if (dsa)

- +    {

- +        return dsa->meth;

- +    }

- +

- +    return nullptr;

- +}

- +

- +extern "C" void local_DSA_get0_pqg(const DSA* dsa, const BIGNUM** p, const BIGNUM** q, const BIGNUM** g)

- +{

- +    if (!dsa)

- +    {

- +        return;

- +    }

- +

- +    if (p)

- +    {

- +        *p = dsa->p;

- +    }

- +

- +    if (q)

- +    {

- +        *q = dsa->q;

- +    }

- +

- +    if (g)

- +    {

- +        *g = dsa->g;

- +    }

- +}

- +

- +extern "C" const BIGNUM* local_DSA_get0_key(const DSA* dsa, const BIGNUM** pubKey, const BIGNUM** privKey)

- +{

- +    if (dsa)

- +    {

- +        if (pubKey)

- +        {

- +            *pubKey = dsa->pub_key;

- +        }

- +

- +        if (privKey)

- +        {

- +            *privKey = dsa->priv_key;

- +        }

- +    }

- +

- +    return nullptr;

- +}

- +

- +extern "C" int32_t local_DSA_set0_pqg(DSA* dsa, BIGNUM* bnP, BIGNUM* bnQ, BIGNUM* bnG)

- +{

- +    if (!dsa)

- +    {

- +        return 0;

- +    }

- +

- +    if ((dsa->p == nullptr && bnP == nullptr) || (dsa->q == nullptr && bnQ == nullptr) || (dsa->g == nullptr && bnG == nullptr))

- +    {

- +        return 0;

- +    }

- +

- +    if (bnP)

- +    {

- +        BN_free(dsa->p);

- +        dsa->p = bnP;

- +    }

- +

- +    if (bnQ)

- +    {

- +        BN_free(dsa->q);

- +        dsa->q = bnQ;

- +    }

- +

- +    if (bnG)

- +    {

- +        BN_free(dsa->g);

- +        dsa->g = bnG;

- +    }

- +

- +    return 1;

- +}

- +

- +extern "C" int32_t local_DSA_set0_key(DSA* dsa, BIGNUM* bnY, BIGNUM* bnX)

- +{

- +    if (!dsa)

- +    {

- +        return 0;

- +    }

- +

- +    if (dsa->pub_key == nullptr && bnY == nullptr)

- +    {

- +        return 0;

- +    }

- +

- +    if (bnY)

- +    {

- +        BN_free(dsa->pub_key);

- +        dsa->pub_key = bnY;

- +    }

- +

- +    if (bnX)

- +    {

- +        BN_free(dsa->priv_key);

- +        dsa->priv_key = bnX;

- +    }

- +

- +    return 1;

- +}

- +

- +extern "C" int32_t local_EVP_PKEY_up_ref(EVP_PKEY* pkey)

- +{

- +    if (!pkey)

- +    {

- +        return 0;

- +    }

- +

- +    return CRYPTO_add_lock(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY, __FILE__, __LINE__) > 1;

- +}

- +

- +extern "C" EVP_CIPHER_CTX* local_EVP_CIPHER_CTX_new()

- +{

- +    EVP_CIPHER_CTX* ctx = (EVP_CIPHER_CTX*)calloc(1, sizeof(EVP_CIPHER_CTX));

- +    return ctx;

- +}

- +

- +extern "C" int32_t local_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX* ctx)

- +{

- +    if (ctx)

- +    {

- +        int ret = EVP_CIPHER_CTX_cleanup(ctx);

- +        EVP_CIPHER_CTX_init(ctx);

- +        return ret;

- +    }

- +

- +    // OpenSSL 1.1 returns succes 1 on a NULL input

- +    return 1;

- +}

- +

- +extern "C" void local_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX* ctx)

- +{

- +    if (ctx)

- +    {

- +        local_EVP_CIPHER_CTX_reset(ctx);

- +        free(ctx);

- +    }

- +}

- +

- +extern "C" HMAC_CTX* local_HMAC_CTX_new()

- +{

- +    HMAC_CTX* ctx = (HMAC_CTX*)calloc(1, sizeof(HMAC_CTX));

- +

- +    if (ctx)

- +    {

- +        HMAC_CTX_init(ctx);

- +    }

- +

- +    return ctx;

- +}

- +

- +extern "C" void local_HMAC_CTX_free(HMAC_CTX* ctx)

- +{

- +    if (ctx != nullptr)

- +    {

- +        HMAC_CTX_cleanup(ctx);

- +        free(ctx);

- +    }

- +}

- +

- +extern "C" int32_t local_RSA_meth_get_flags(const RSA_METHOD* meth)

- +{

- +    if (meth)

- +    {

- +        return meth->flags;

- +    }

- +

- +    return 0;

- +}

- +

- +extern "C" void local_RSA_get0_key(const RSA* rsa, const BIGNUM** n, const BIGNUM** e, const BIGNUM** d)

- +{

- +    if (rsa)

- +    {

- +        if (n)

- +        {

- +            *n = rsa->n;

- +        }

- +

- +        if (e)

- +        {

- +            *e = rsa->e;

- +        }

- +

- +        if (d)

- +        {

- +            *d = rsa->d;

- +        }

- +    }

- +}

- +

- +extern "C" void local_RSA_get0_factors(const RSA* rsa, const BIGNUM** p, const BIGNUM** q)

- +{

- +    if (rsa)

- +    {

- +        if (p)

- +        {

- +            *p = rsa->p;

- +        }

- +

- +        if (q)

- +        {

- +            *q = rsa->q;

- +        }

- +    }

- +}

- +

- +extern "C" void local_RSA_get0_crt_params(const RSA* rsa, const BIGNUM** dmp1, const BIGNUM** dmq1, const BIGNUM** iqmp)

- +{

- +    if (rsa)

- +    {

- +        if (dmp1)

- +        {

- +            *dmp1 = rsa->dmp1;

- +        }

- +

- +        if (dmq1)

- +        {

- +            *dmq1 = rsa->dmq1;

- +        }

- +

- +        if (iqmp)

- +        {

- +            *iqmp = rsa->iqmp;

- +        }

- +    }

- +}

- +

- +extern "C" int32_t local_RSA_set0_key(RSA* rsa, BIGNUM* n, BIGNUM* e, BIGNUM* d)

- +{

- +    if (rsa == nullptr)

- +    {

- +        return 0;

- +    }

- +

- +    if ((rsa->n == nullptr && n == nullptr) || (rsa->e == nullptr && e == nullptr))

- +    {

- +        return 0;

- +    }

- +

- +    if (n != nullptr)

- +    {

- +        BN_free(rsa->n);

- +        rsa->n = n;

- +    }

- +

- +    if (e != nullptr)

- +    {

- +        BN_free(rsa->e);

- +        rsa->e = e;

- +    }

- +

- +    if (d != nullptr)

- +    {

- +        BN_free(rsa->d);

- +        rsa->d = d;

- +    }

- +

- +    return 1;

- +}

- +

- +extern "C" int32_t local_RSA_set0_factors(RSA* rsa, BIGNUM* p, BIGNUM* q)

- +{

- +    if (rsa == nullptr)

- +    {

- +        return 0;

- +    }

- +

- +    if ((rsa->p == nullptr && p == nullptr) || (rsa->q == nullptr && q == nullptr))

- +    {

- +        return 0;

- +    }

- +

- +    if (p != nullptr)

- +    {

- +        BN_free(rsa->p);

- +        rsa->p = p;

- +    }

- +

- +    if (q != nullptr)

- +    {

- +        BN_free(rsa->q);

- +        rsa->q = q;

- +    }

- +

- +    return 1;

- +}

- +

- +extern "C" int32_t local_RSA_set0_crt_params(RSA* rsa, BIGNUM* dmp1, BIGNUM* dmq1, BIGNUM* iqmp)

- +{

- +    if (rsa == nullptr)

- +    {

- +        return 0;

- +    }

- +

- +    if ((rsa->dmp1 == nullptr && dmp1 == nullptr) || (rsa->dmq1 == nullptr && dmq1 == nullptr) ||

- +        (rsa->iqmp == nullptr && iqmp == nullptr))

- +    {

- +        return 0;

- +    }

- +

- +    if (dmp1 != nullptr)

- +    {

- +        BN_free(rsa->dmp1);

- +        rsa->dmp1 = dmp1;

- +    }

- +

- +    if (dmq1 != nullptr)

- +    {

- +        BN_free(rsa->dmq1);

- +        rsa->dmq1 = dmq1;

- +    }

- +

- +    if (iqmp != nullptr)

- +    {

- +        BN_free(rsa->iqmp);

- +        rsa->iqmp = iqmp;

- +    }

- +

- +    return 1;

- +}

- +

- +extern "C" int32_t local_SSL_is_init_finished(const SSL* ssl)

- +{

- +    return SSL_state(ssl) == SSL_ST_OK;

- +}

- +

- +extern "C" X509Stack* local_X509_STORE_CTX_get0_untrusted(X509_STORE_CTX* ctx)

- +{

- +    return ctx ? ctx->untrusted : nullptr;

- +}

- +

- +extern "C" X509* local_X509_STORE_CTX_get0_cert(X509_STORE_CTX* ctx)

- +{

- +    return ctx ? ctx->cert : nullptr;

- +}

- +

- +extern "C" int32_t local_X509_up_ref(X509* x509)

- +{

- +    if (x509 != nullptr)

- +    {

- +        return CRYPTO_add_lock(&x509->references, 1, CRYPTO_LOCK_X509, __FILE__, __LINE__) > 1;

- +    }

- +

- +    return 0;

- +}

- +

- +extern "C" unsigned long local_SSL_CTX_set_options(SSL_CTX* ctx, unsigned long options)

- +{

- +    // SSL_CTX_ctrl is signed long in and signed long out; but SSL_CTX_set_options,

- +    // which was a macro call to SSL_CTX_ctrl in 1.0, is unsigned/unsigned.

- +    return (unsigned long)SSL_CTX_ctrl(ctx, SSL_CTRL_OPTIONS, (long)options, nullptr);

- +}

- +

- +extern "C" int local_SSL_session_reused(SSL* ssl)

- +{

- +    return (int)SSL_ctrl(ssl, SSL_CTRL_GET_SESSION_REUSED, 0, nullptr);

- +}

- +

- +extern "C" void local_SSL_CTX_set_security_level(SSL_CTX* ctx, int32_t level)

- +{

- +    (void)ctx;

- +    (void)level;

- +}

- +#endif

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/apibridge.h b/src/Native/Unix/System.Security.Cryptography.Native/apibridge.h

- new file mode 100644

- index 0000000000..39d2718a30

- --- /dev/null

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/apibridge.h

- @@ -0,0 +1,45 @@

- +// Licensed to the .NET Foundation under one or more agreements.

- +// The .NET Foundation licenses this file to you under the MIT license.

- +// See the LICENSE file in the project root for more information.

- +

- +// Functions based on OpenSSL 1.1 API, used when building against/running with OpenSSL 1.0

- +

- +#pragma once

- +#include "pal_types.h"

- +

- +extern "C" const BIGNUM* local_DSA_get0_key(const DSA* dsa, const BIGNUM** pubKey, const BIGNUM** privKey);

- +extern "C" void local_DSA_get0_pqg(const DSA* dsa, const BIGNUM** p, const BIGNUM** q, const BIGNUM** g);

- +extern "C" const DSA_METHOD* local_DSA_get_method(const DSA* dsa);

- +extern "C" int32_t local_DSA_set0_key(DSA* dsa, BIGNUM* bnY, BIGNUM* bnX);

- +extern "C" int32_t local_DSA_set0_pqg(DSA* dsa, BIGNUM* bnP, BIGNUM* bnQ, BIGNUM* bnG);

- +extern "C" void local_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX* ctx);

- +extern "C" EVP_CIPHER_CTX* local_EVP_CIPHER_CTX_new(void);

- +extern "C" int32_t local_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX* ctx);

- +extern "C" int32_t local_EVP_PKEY_up_ref(EVP_PKEY* pkey);

- +extern "C" void local_HMAC_CTX_free(HMAC_CTX* ctx);

- +extern "C" HMAC_CTX* local_HMAC_CTX_new(void);

- +extern "C" const char* local_OpenSSL_version(int t);

- +extern "C" void local_RSA_get0_crt_params(const RSA* rsa, const BIGNUM** dmp1, const BIGNUM** dmq1, const BIGNUM** iqmp);

- +extern "C" void local_RSA_get0_factors(const RSA* rsa, const BIGNUM** p, const BIGNUM** q);

- +extern "C" void local_RSA_get0_key(const RSA* rsa, const BIGNUM** n, const BIGNUM** e, const BIGNUM** d);

- +extern "C" int32_t local_RSA_meth_get_flags(const RSA_METHOD* meth);

- +extern "C" int32_t local_RSA_set0_crt_params(RSA* rsa, BIGNUM* dmp1, BIGNUM* dmq1, BIGNUM* iqmp);

- +extern "C" int32_t local_RSA_set0_factors(RSA* rsa, BIGNUM* p, BIGNUM* q);

- +extern "C" int32_t local_RSA_set0_key(RSA* rsa, BIGNUM* n, BIGNUM* e, BIGNUM* d);

- +extern "C" int32_t local_SSL_is_init_finished(const SSL* ssl);

- +extern "C" unsigned long local_SSL_CTX_set_options(SSL_CTX* ctx, unsigned long options);

- +extern "C" void local_SSL_CTX_set_security_level(SSL_CTX* ctx, int32_t level);

- +extern "C" int local_SSL_session_reused(SSL* ssl);

- +extern "C" const ASN1_TIME* local_X509_CRL_get0_nextUpdate(const X509_CRL* crl);

- +extern "C" int32_t local_X509_NAME_get0_der(X509_NAME* x509Name, const uint8_t** pder, size_t* pderlen);

- +extern "C" int32_t local_X509_PUBKEY_get0_param(

- +    ASN1_OBJECT** palgOid, const uint8_t** pkeyBytes, int* pkeyBytesLen, X509_ALGOR** palg, X509_PUBKEY* pubkey);

- +extern "C" X509* local_X509_STORE_CTX_get0_cert(X509_STORE_CTX* ctx);

- +extern "C" STACK_OF(X509) * local_X509_STORE_CTX_get0_untrusted(X509_STORE_CTX* ctx);

- +extern "C" const ASN1_TIME* local_X509_get0_notAfter(const X509* x509);

- +extern "C" const ASN1_TIME* local_X509_get0_notBefore(const X509* x509);

- +extern "C" ASN1_BIT_STRING* local_X509_get0_pubkey_bitstr(const X509* x509);

- +extern "C" const X509_ALGOR* local_X509_get0_tbs_sigalg(const X509* x509);

- +extern "C" X509_PUBKEY* local_X509_get_X509_PUBKEY(const X509* x509);

- +extern "C" int32_t local_X509_get_version(const X509* x509);

- +extern "C" int32_t local_X509_up_ref(X509* x509);

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/configure.cmake b/src/Native/Unix/System.Security.Cryptography.Native/configure.cmake

- index 809ffe318e..cdc9f50f3c 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/configure.cmake

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/configure.cmake

- @@ -2,11 +2,6 @@ include(CheckLibraryExists)

-  include(CheckFunctionExists)

-  

-  set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})

- -

- -# Check which versions of TLS the OpenSSL/ssl library supports

- -check_library_exists(${OPENSSL_SSL_LIBRARY} "TLSv1_1_method" "" HAVE_TLS_V1_1)

- -check_library_exists(${OPENSSL_SSL_LIBRARY} "TLSv1_2_method" "" HAVE_TLS_V1_2)

- -

-  set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})

-  

-  check_function_exists(

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/openssl.cpp b/src/Native/Unix/System.Security.Cryptography.Native/openssl.cpp

- index 46396370b4..f419b755b7 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/openssl.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/openssl.cpp

- @@ -6,6 +6,7 @@

-  #include "pal_utilities.h"

-  #include "pal_safecrt.h"

-  #include "opensslshim.h"

- +#include "openssl.h"

-  

-  #include <assert.h>

-  #include <limits.h>

- @@ -78,7 +79,7 @@ extern "C" int32_t CryptoNative_GetX509Thumbprint(X509* x509, uint8_t* pBuf, int

-          return -SHA_DIGEST_LENGTH;

-      }

-  

- -    if (!X509_digest(x509, EVP_sha1(), pBuf, NULL))

- +    if (!X509_digest(x509, EVP_sha1(), pBuf, nullptr))

-      {

-          return 0;

-      }

- @@ -97,14 +98,14 @@ Return values:

-  NULL if the validity cannot be determined, a pointer to the ASN1_TIME structure for the NotBefore value

-  otherwise.

-  */

- -extern "C" ASN1_TIME* CryptoNative_GetX509NotBefore(X509* x509)

- +extern "C" const ASN1_TIME* CryptoNative_GetX509NotBefore(X509* x509)

-  {

- -    if (x509 && x509->cert_info && x509->cert_info->validity)

- +    if (x509)

-      {

- -        return x509->cert_info->validity->notBefore;

- +        return X509_get0_notBefore(x509);

-      }

-  

- -    return NULL;

- +    return nullptr;

-  }

-  

-  /*

- @@ -118,14 +119,14 @@ Return values:

-  NULL if the validity cannot be determined, a pointer to the ASN1_TIME structure for the NotAfter value

-  otherwise.

-  */

- -extern "C" ASN1_TIME* CryptoNative_GetX509NotAfter(X509* x509)

- +extern "C" const ASN1_TIME* CryptoNative_GetX509NotAfter(X509* x509)

-  {

- -    if (x509 && x509->cert_info && x509->cert_info->validity)

- +    if (x509)

-      {

- -        return x509->cert_info->validity->notAfter;

- +        return X509_get0_notAfter(x509);

-      }

-  

- -    return NULL;

- +    return nullptr;

-  }

-  

-  /*

- @@ -139,14 +140,14 @@ Return values:

-  NULL if the validity cannot be determined, a pointer to the ASN1_TIME structure for the NextUpdate value

-  otherwise.

-  */

- -extern "C" ASN1_TIME* CryptoNative_GetX509CrlNextUpdate(X509_CRL* crl)

- +extern "C" const ASN1_TIME* CryptoNative_GetX509CrlNextUpdate(X509_CRL* crl)

-  {

-      if (crl)

-      {

- -        return X509_CRL_get_nextUpdate(crl);

- +        return X509_CRL_get0_nextUpdate(crl);

-      }

-  

- -    return NULL;

- +    return nullptr;

-  }

-  

-  /*

- @@ -165,9 +166,9 @@ The encoded value of the version, otherwise:

-  */

-  extern "C" int32_t CryptoNative_GetX509Version(X509* x509)

-  {

- -    if (x509 && x509->cert_info)

- +    if (x509)

-      {

- -        long ver = ASN1_INTEGER_get(x509->cert_info->version);

- +        long ver = X509_get_version(x509);

-          return static_cast<int32_t>(ver);

-      }

-  

- @@ -187,12 +188,18 @@ describing the object type.

-  */

-  extern "C" ASN1_OBJECT* CryptoNative_GetX509PublicKeyAlgorithm(X509* x509)

-  {

- -    if (x509 && x509->cert_info && x509->cert_info->key && x509->cert_info->key->algor)

- +    if (x509)

-      {

- -        return x509->cert_info->key->algor->algorithm;

- +        X509_PUBKEY* pubkey = X509_get_X509_PUBKEY(x509);

- +        ASN1_OBJECT* algOid;

- +

- +        if (pubkey && X509_PUBKEY_get0_param(&algOid, nullptr, nullptr, nullptr, pubkey))

- +        {

- +            return algOid;

- +        }

-      }

-  

- -    return NULL;

- +    return nullptr;

-  }

-  

-  /*

- @@ -208,12 +215,17 @@ describing the object type.

-  */

-  extern "C" ASN1_OBJECT* CryptoNative_GetX509SignatureAlgorithm(X509* x509)

-  {

- -    if (x509 && x509->sig_alg && x509->sig_alg->algorithm)

- +    if (x509)

-      {

- -        return x509->sig_alg->algorithm;

- +        const X509_ALGOR* sigAlg = X509_get0_tbs_sigalg(x509);

- +

- +        if (sigAlg)

- +        {

- +            return sigAlg->algorithm;

- +        }

-      }

-  

- -    return NULL;

- +    return nullptr;

-  }

-  

-  /*

- @@ -230,21 +242,35 @@ Any negative value: The input buffer size was reported as insufficient. A buffer

-  */

-  extern "C" int32_t CryptoNative_GetX509PublicKeyParameterBytes(X509* x509, uint8_t* pBuf, int32_t cBuf)

-  {

- -    if (!x509 || !x509->cert_info || !x509->cert_info->key || !x509->cert_info->key->algor)

- +    if (!x509)

- +    {

- +        return 0;

- +    }

- +

- +    X509_PUBKEY* pubkey = X509_get_X509_PUBKEY(x509);

- +

- +    if (!pubkey)

- +    {

- +        return 0;

- +    }

- +

- +    X509_ALGOR* alg;

- +

- +    if (!X509_PUBKEY_get0_param(nullptr, nullptr, nullptr, &alg, pubkey) || !alg)

-      {

-          return 0;

-      }

-  

- -    ASN1_TYPE* parameter = x509->cert_info->key->algor->parameter;

- +    ASN1_TYPE* parameter = alg->parameter;

-  

-      if (!parameter)

-      {

-          // If pBuf is NULL we're asking for the length, so return 0 (which is negative-zero)

-          // If pBuf is non-NULL we're asking to fill the data, in which case we return 1.

- -        return pBuf != NULL;

- +        return pBuf != nullptr;

-      }

- -    

- -    int len = i2d_ASN1_TYPE(parameter, NULL);

- +

- +    int len = i2d_ASN1_TYPE(parameter, nullptr);

-  

-      if (cBuf < len)

-      {

- @@ -275,12 +301,12 @@ the public key.

-  */

-  extern "C" ASN1_BIT_STRING* CryptoNative_GetX509PublicKeyBytes(X509* x509)

-  {

- -    if (x509 && x509->cert_info && x509->cert_info->key)

- +    if (x509)

-      {

- -        return x509->cert_info->key->public_key;

- +        return X509_get0_pubkey_bitstr(x509);

-      }

-  

- -    return NULL;

- +    return nullptr;

-  }

-  

-  /*

- @@ -353,7 +379,10 @@ Any negative value: The input buffer size was reported as insufficient. A buffer

-  */

-  extern "C" int32_t CryptoNative_GetX509NameRawBytes(X509_NAME* x509Name, uint8_t* pBuf, int32_t cBuf)

-  {

- -    if (!x509Name || !x509Name->bytes || cBuf < 0)

- +    const uint8_t* nameBuf;

- +    size_t nameBufLen;

- +

- +    if (!x509Name || cBuf < 0 || !X509_NAME_get0_der(x509Name, &nameBuf, &nameBufLen))

-      {

-          return 0;

-      }

- @@ -367,13 +396,13 @@ extern "C" int32_t CryptoNative_GetX509NameRawBytes(X509_NAME* x509Name, uint8_t

-       * value is less than INT_MAX in it's native format; once we know it is not

-       * too large, we can safely cast to an int to make sure it is not negative

-       */

- -    if (x509Name->bytes->length > INT_MAX)

- +    if (nameBufLen > INT_MAX)

-      {

-          assert(0 && "Huge length X509_NAME");

-          return 0;

-      }

-  

- -    int length = static_cast<int>(x509Name->bytes->length);

- +    int length = static_cast<int>(nameBufLen);

-  

-      if (length < 0)

-      {

- @@ -386,7 +415,7 @@ extern "C" int32_t CryptoNative_GetX509NameRawBytes(X509_NAME* x509Name, uint8_t

-          return -length;

-      }

-  

- -    memcpy_s(pBuf, UnsignedCast(cBuf), x509Name->bytes->data, UnsignedCast(length));

- +    memcpy_s(pBuf, UnsignedCast(cBuf), nameBuf, UnsignedCast(length));

-      return 1;

-  }

-  

- @@ -437,9 +466,9 @@ extern "C" BIO* CryptoNative_GetX509NameInfo(X509* x509, int32_t nameType, int32

-  {

-      static const char szOidUpn[] = "1.3.6.1.4.1.311.20.2.3";

-  

- -    if (!x509 || !x509->cert_info || nameType < NAME_TYPE_SIMPLE || nameType > NAME_TYPE_URL)

- +    if (!x509 || nameType < NAME_TYPE_SIMPLE || nameType > NAME_TYPE_URL)

-      {

- -        return NULL;

- +        return nullptr;

-      }

-  

-      // Algorithm behaviors (pseudocode).  When forIssuer is true, replace "Subject" with "Issuer" and

- @@ -454,15 +483,15 @@ extern "C" BIO* CryptoNative_GetX509NameInfo(X509* x509, int32_t nameType, int32

-      // UrlName: SAN.Entries.FirstOrDefault(type == GEN_URI);

-      if (nameType == NAME_TYPE_SIMPLE)

-      {

- -        X509_NAME* name = forIssuer ? x509->cert_info->issuer : x509->cert_info->subject;

- +        X509_NAME* name = forIssuer ? X509_get_issuer_name(x509) : X509_get_subject_name(x509);

-  

-          if (name)

-          {

- -            ASN1_STRING* cn = NULL;

- -            ASN1_STRING* ou = NULL;

- -            ASN1_STRING* o = NULL;

- -            ASN1_STRING* e = NULL;

- -            ASN1_STRING* firstRdn = NULL;

- +            ASN1_STRING* cn = nullptr;

- +            ASN1_STRING* ou = nullptr;

- +            ASN1_STRING* o = nullptr;

- +            ASN1_STRING* e = nullptr;

- +            ASN1_STRING* firstRdn = nullptr;

-  

-              // Walk the list backwards because it is stored in stack order

-              for (int i = X509_NAME_entry_count(name) - 1; i >= 0; --i)

- @@ -564,7 +593,7 @@ extern "C" BIO* CryptoNative_GetX509NameInfo(X509* x509, int32_t nameType, int32

-          }

-  

-          STACK_OF(GENERAL_NAME)* altNames = static_cast<STACK_OF(GENERAL_NAME)*>(

- -            X509_get_ext_d2i(x509, forIssuer ? NID_issuer_alt_name : NID_subject_alt_name, NULL, NULL));

- +            X509_get_ext_d2i(x509, forIssuer ? NID_issuer_alt_name : NID_subject_alt_name, nullptr, nullptr));

-  

-          if (altNames)

-          {

- @@ -576,7 +605,7 @@ extern "C" BIO* CryptoNative_GetX509NameInfo(X509* x509, int32_t nameType, int32

-  

-                  if (altName && altName->type == expectedType)

-                  {

- -                    ASN1_STRING* str = NULL;

- +                    ASN1_STRING* str = nullptr;

-  

-                      switch (nameType)

-                      {

- @@ -629,7 +658,7 @@ extern "C" BIO* CryptoNative_GetX509NameInfo(X509* x509, int32_t nameType, int32

-  

-      if (nameType == NAME_TYPE_EMAIL || nameType == NAME_TYPE_DNS)

-      {

- -        X509_NAME* name = forIssuer ? x509->cert_info->issuer : x509->cert_info->subject;

- +        X509_NAME* name = forIssuer ? X509_get_issuer_name(x509) : X509_get_subject_name(x509);

-          int expectedNid = NID_undef;

-  

-          switch (nameType)

- @@ -674,7 +703,7 @@ extern "C" BIO* CryptoNative_GetX509NameInfo(X509* x509, int32_t nameType, int32

-          }

-      }

-  

- -    return NULL;

- +    return nullptr;

-  }

-  

-  /*

- @@ -821,7 +850,7 @@ extern "C" int32_t CryptoNative_CheckX509Hostname(X509* x509, const char* hostna

-      int subjectNid = NID_commonName;

-      int sanGenType = GEN_DNS;

-      GENERAL_NAMES* san = static_cast<GENERAL_NAMES*>(

- -        X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL));

- +        X509_get_ext_d2i(x509, NID_subject_alt_name, nullptr, nullptr));

-      char readSubject = 1;

-      int success = 0;

-  

- @@ -909,7 +938,7 @@ extern "C" int32_t CryptoNative_CheckX509IpAddress(

-  

-      int subjectNid = NID_commonName;

-      int sanGenType = GEN_IPADD;

- -    GENERAL_NAMES* san = static_cast<GENERAL_NAMES*>(X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL));

- +    GENERAL_NAMES* san = static_cast<GENERAL_NAMES*>(X509_get_ext_d2i(x509, NID_subject_alt_name, nullptr, nullptr));

-      int success = 0;

-  

-      if (san)

- @@ -1070,7 +1099,7 @@ otherwise NULL.

-  */

-  extern "C" X509* CryptoNative_ReadX509AsDerFromBio(BIO* bio)

-  {

- -    return d2i_X509_bio(bio, NULL);

- +    return d2i_X509_bio(bio, nullptr);

-  }

-  

-  /*

- @@ -1242,6 +1271,26 @@ extern "C" int32_t CryptoNative_LookupFriendlyNameByOid(const char* oidValue, co

-      return 0;

-  }

-  

- +#ifndef OPENSSL_VERSION

- +#define OPENSSL_VERSION 0

- +#endif

- +

- +/*

- +Function:

- +SSLEayVersion

- +

- +Gets the version of openssl library.

- +

- +Return values:

- +Textual description of the version on success.

- +"not available" string on failure.

- +*/

- +extern "C" char* CryptoNative_SSLEayVersion()

- +{

- +    return strdup(OpenSSL_version(OPENSSL_VERSION));

- +}

- +

- +#ifdef NEED_OPENSSL_1_0

-  // Lock used to make sure EnsureopenSslInitialized itself is thread safe

-  static pthread_mutex_t g_initLock = PTHREAD_MUTEX_INITIALIZER;

-  

- @@ -1262,6 +1311,10 @@ static void LockingCallback(int mode, int n, const char* file, int line)

-  #pragma clang diagnostic push

-  #pragma clang diagnostic ignored "-Wthread-safety-analysis"

-  

- +#ifndef CRYPTO_LOCK

- +#define CRYPTO_LOCK 1

- +#endif

- +

-      int result;

-      if (mode & CRYPTO_LOCK)

-      {

- @@ -1307,7 +1360,7 @@ Return values:

-  0 on success

-  non-zero on failure

-  */

- -extern "C" int32_t CryptoNative_EnsureOpenSslInitialized()

- +static int32_t EnsureOpenSsl10Initialized()

-  {

-      int ret = 0;

-      int numLocks = 0;

- @@ -1383,25 +1436,53 @@ done:

-                  pthread_mutex_destroy(&g_locks[i]); // ignore failures

-              }

-              delete[] g_locks;

- -            g_locks = NULL;

- +            g_locks = nullptr;

-          }

-      }

-  

-      pthread_mutex_unlock(&g_initLock);

-      return ret;

-  }

- +#endif // NEED_OPENSSL_1_0 */

-  

- -/*

- -Function:

- -SSLEayVersion

- +#ifdef NEED_OPENSSL_1_1

-  

- -Gets the version of openssl library.

- +static int32_t EnsureOpenSsl11Initialized()

- +{

- +    // In OpenSSL 1.0 we call OPENSSL_add_all_algorithms_conf() and ERR_load_crypto_strings(),

- +    // so do the same for 1.1

- +    OPENSSL_init_ssl(

- +        // OPENSSL_add_all_algorithms_conf

- +            OPENSSL_INIT_ADD_ALL_CIPHERS |

- +            OPENSSL_INIT_ADD_ALL_DIGESTS |

- +            OPENSSL_INIT_LOAD_CONFIG |

- +        // ERR_load_crypto_strings

- +            OPENSSL_INIT_LOAD_CRYPTO_STRINGS |

- +            OPENSSL_INIT_LOAD_SSL_STRINGS,

- +        nullptr);

-  

- -Return values:

- -Textual description of the version on success.

- -"not available" string on failure.

- -*/

- -extern "C" char* CryptoNative_SSLEayVersion()

- +    return 0;

- +}

- +

- +#endif

- +

- +extern "C" int32_t CryptoNative_EnsureOpenSslInitialized()

-  {

- -    return strdup(SSLeay_version(SSLEAY_VERSION));

- +    // If portable then decide which OpenSSL we are, and call the right one.

- +    // If 1.0, call the 1.0 one.

- +    // Otherwise call the 1.1 one.

- +#ifdef FEATURE_DISTRO_AGNOSTIC_SSL

- +    if (API_EXISTS(SSL_state))

- +    {

- +        return EnsureOpenSsl10Initialized();

- +    }

- +    else

- +    {

- +        return EnsureOpenSsl11Initialized();

- +    }

- +#elif OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM

- +    return EnsureOpenSsl10Initialized();

- +#else

- +    return EnsureOpenSsl11Initialized();

- +#endif

-  }

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/openssl.h b/src/Native/Unix/System.Security.Cryptography.Native/openssl.h

- new file mode 100644

- index 0000000000..372d6fd45a

- --- /dev/null

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/openssl.h

- @@ -0,0 +1,11 @@

- +// Licensed to the .NET Foundation under one or more agreements.

- +// The .NET Foundation licenses this file to you under the MIT license.

- +// See the LICENSE file in the project root for more information.

- +//

- +

- +#pragma once

- +

- +#include "pal_compiler.h"

- +#include "opensslshim.h"

- +

- +extern "C" char* CryptoNative_SSLEayVersion();

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/openssl_1_0_structs.h b/src/Native/Unix/System.Security.Cryptography.Native/openssl_1_0_structs.h

- new file mode 100644

- index 0000000000..8852c3c1b3

- --- /dev/null

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/openssl_1_0_structs.h

- @@ -0,0 +1,139 @@

- +// Licensed to the .NET Foundation under one or more agreements.

- +// The .NET Foundation licenses this file to you under the MIT license.

- +// See the LICENSE file in the project root for more information.

- +

- +// Definitions of structures from OpenSSL 1.0.2, modified as relevant to

- +// building .NET Core.

- +

- +// The CRYPTO_EX_DATA struct is smaller in 1.1, which changes the packing of

- +// dsa_st

- +struct crypto_ex_data_10_st

- +{

- +    STACK_OF(void) * sk;

- +    int dummy;

- +};

- +

- +struct dsa_st

- +{

- +    int _ignored0;

- +    long _ignored1;

- +    int _ignored2;

- +    BIGNUM* p;

- +    BIGNUM* q;

- +    BIGNUM* g;

- +    BIGNUM* pub_key;

- +    BIGNUM* priv_key;

- +    const void* _ignored3;

- +    const void* _ignored4;

- +    int _ignored5;

- +    const void* _ignored6;

- +    int _ignored7;

- +    struct crypto_ex_data_10_st ex_data;

- +    const DSA_METHOD* meth;

- +};

- +

- +struct evp_cipher_ctx_st

- +{

- +    // 0xA8 is the sizeof value when building against OpenSSL 1.0.2 on

- +    // Ubuntu 16.04

- +    unsigned char _ignored0[0xA8];

- +};

- +

- +struct evp_pkey_st

- +{

- +    int _ignored0;

- +    int _ignored1;

- +    int references;

- +};

- +

- +struct hmac_ctx_st

- +{

- +    // 0x120 is the sizeof value when building against OpenSSL 1.0.2 on

- +    // Ubuntu 16.04

- +    unsigned char _ignored0[0x120];

- +};

- +

- +struct rsa_meth_st

- +{

- +    const void* _ignored0;

- +    const void* _ignored1;

- +    const void* _ignored2;

- +    const void* _ignored3;

- +    const void* _ignored4;

- +    const void* _ignored5;

- +    const void* _ignored6;

- +    const void* _ignored7;

- +    const void* _ignored8;

- +    int flags;

- +};

- +

- +struct rsa_st

- +{

- +    int _ignored0;

- +    long _ignored1;

- +    const RSA_METHOD* meth;

- +    const void* _ignored2;

- +    BIGNUM* n;

- +    BIGNUM* e;

- +    BIGNUM* d;

- +    BIGNUM* p;

- +    BIGNUM* q;

- +    BIGNUM* dmp1;

- +    BIGNUM* dmq1;

- +    BIGNUM* iqmp;

- +};

- +

- +struct x509_cinf_st

- +{

- +    ASN1_INTEGER* version;

- +    ASN1_INTEGER* serialNumber;

- +    X509_ALGOR* signature;

- +    X509_NAME* issuer;

- +    X509_VAL* validity;

- +    X509_NAME* subject;

- +    X509_PUBKEY* key;

- +};

- +

- +struct X509_crl_info_st

- +{

- +    const void* _ignored0;

- +    const void* _ignored1;

- +    const void* _ignored2;

- +    const void* _ignored3;

- +    ASN1_TIME* nextUpdate;

- +};

- +

- +struct X509_crl_st

- +{

- +    X509_CRL_INFO* crl;

- +};

- +

- +struct X509_name_st

- +{

- +    STACK_OF(X509_NAME_ENTRY) * entries;

- +    int _ignored0;

- +    BUF_MEM* bytes;

- +};

- +

- +struct X509_pubkey_st

- +{

- +    X509_ALGOR* algor;

- +    ASN1_BIT_STRING* public_key;

- +};

- +

- +struct x509_st

- +{

- +    X509_CINF* cert_info;

- +    const void* _ignored0;

- +    const void* _ignored1;

- +    int _ignored2;

- +    int references;

- +};

- +

- +struct x509_store_ctx_st

- +{

- +    const void* _ignored0;

- +    int _ignored1;

- +    X509* cert;

- +    STACK_OF(X509*) untrusted;

- +};

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.cpp b/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.cpp

- index f4e1cb71cb..585f7ac23f 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.cpp

- @@ -5,13 +5,25 @@

-  

-  #include <dlfcn.h>

-  #include <stdio.h>

- +#include <stdbool.h>

- +#include <string.h>

-  

-  #include "opensslshim.h"

-  

- -// Define pointers to all the used ICU functions

- -#define PER_FUNCTION_BLOCK(fn, isRequired) decltype(fn) fn##_ptr;

- +// Define pointers to all the used OpenSSL functions

- +#define REQUIRED_FUNCTION(fn) __typeof(fn) fn##_ptr;

- +#define NEW_REQUIRED_FUNCTION(fn) __typeof(fn) fn##_ptr;

- +#define LIGHTUP_FUNCTION(fn) __typeof(fn) fn##_ptr;

- +#define FALLBACK_FUNCTION(fn) __typeof(fn) fn##_ptr;

- +#define RENAMED_FUNCTION(fn,oldfn) __typeof(fn) fn##_ptr;

- +#define LEGACY_FUNCTION(fn) __typeof(fn) fn##_ptr;

-  FOR_ALL_OPENSSL_FUNCTIONS

- -#undef PER_FUNCTION_BLOCK

- +#undef LEGACY_FUNCTION

- +#undef RENAMED_FUNCTION

- +#undef FALLBACK_FUNCTION

- +#undef LIGHTUP_FUNCTION

- +#undef NEW_REQUIRED_FUNCTION

- +#undef REQUIRED_FUNCTION

-  

-  // x.x.x, considering the max number of decimal digits for each component

-  static const int MaxVersionStringLength = 32;

- @@ -35,6 +47,12 @@ bool OpenLibrary()

-          libssl = dlopen(soName, RTLD_LAZY);

-      }

-  

- +    if (libssl == nullptr)

- +    {

- +        // Prefer OpenSSL 1.1.x

- +        libssl = dlopen("libssl.so.1.1", RTLD_LAZY);

- +    }

- +

-      if (libssl == nullptr)

-      {

-          // Debian 9 has dropped support for SSLv3 and so they have bumped their soname. Let's try it

- @@ -63,17 +81,41 @@ void InitializeOpenSSLShim()

-  {

-      if (!OpenLibrary())

-      {

- -        fprintf(stderr, "No usable version of the libssl was found\n");

- +        fprintf(stderr, "No usable version of libssl was found\n");

-          abort();

-      }

-  

- -    // Get pointers to all the ICU functions that are needed

- -#define PER_FUNCTION_BLOCK(fn, isRequired) \

- -    fn##_ptr = reinterpret_cast<decltype(fn)>(dlsym(libssl, #fn)); \

- -    if ((fn##_ptr) == NULL && isRequired) { fprintf(stderr, "Cannot get required symbol " #fn " from libssl\n"); abort(); }

- +    // A function defined in libcrypto.so.1.0.0/libssl.so.1.0.0 that is not defined in

- +    // libcrypto.so.1.1.0/libssl.so.1.1.0

- +    const void* v1_0_sentinel = dlsym(libssl, "SSL_state");

- +

- +    // Get pointers to all the functions that are needed

- +#define REQUIRED_FUNCTION(fn) \

- +    if (!(fn##_ptr = (__typeof(fn))(dlsym(libssl, #fn)))) { fprintf(stderr, "Cannot get required symbol " #fn " from libssl\n"); abort(); }

- +

- +#define NEW_REQUIRED_FUNCTION(fn) \

- +    if (!v1_0_sentinel && !(fn##_ptr = (__typeof(fn))(dlsym(libssl, #fn)))) { fprintf(stderr, "Cannot get required symbol " #fn " from libssl\n"); abort(); }

- +

- +#define LIGHTUP_FUNCTION(fn) \

- +    fn##_ptr = (__typeof(fn))(dlsym(libssl, #fn));

- +

- +#define FALLBACK_FUNCTION(fn) \

- +    if (!(fn##_ptr = (__typeof(fn))(dlsym(libssl, #fn)))) { fn##_ptr = (__typeof(fn))local_##fn; }

- +

- +#define RENAMED_FUNCTION(fn,oldfn) \

- +    if (!v1_0_sentinel && !(fn##_ptr = (__typeof(fn))(dlsym(libssl, #fn)))) { fprintf(stderr, "Cannot get required symbol " #fn " from libssl\n"); abort(); } \

- +    if (v1_0_sentinel && !(fn##_ptr = (__typeof(fn))(dlsym(libssl, #oldfn)))) { fprintf(stderr, "Cannot get required symbol " #oldfn " from libssl\n"); abort(); }

- +

- +#define LEGACY_FUNCTION(fn) \

- +    if (v1_0_sentinel && !(fn##_ptr = (__typeof(fn))(dlsym(libssl, #fn)))) { fprintf(stderr, "Cannot get required symbol " #fn " from libssl\n"); abort(); }

-  

-      FOR_ALL_OPENSSL_FUNCTIONS

- -#undef PER_FUNCTION_BLOCK    

- +#undef LEGACY_FUNCTION

- +#undef RENAMED_FUNCTION

- +#undef FALLBACK_FUNCTION

- +#undef LIGHTUP_FUNCTION

- +#undef NEW_REQUIRED_FUNCTION

- +#undef REQUIRED_FUNCTION

-  }

-  

-  __attribute__((destructor))

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h b/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h

- index afb2559d12..c10cc1d534 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h

- @@ -3,7 +3,7 @@

-  // See the LICENSE file in the project root for more information.

-  //

-  

- -// Enable calling OpenSSL functions through shims to enable support for 

- +// Enable calling OpenSSL functions through shims to enable support for

-  // different versioned so files naming and different configuration options

-  // on various Linux distributions.

-  

- @@ -16,8 +16,8 @@

-  #include <openssl/bn.h>

-  #include <openssl/crypto.h>

-  #include <openssl/dsa.h>

- -#include <openssl/ecdsa.h>

-  #include <openssl/ec.h>

- +#include <openssl/ecdsa.h>

-  #include <openssl/err.h>

-  #include <openssl/evp.h>

-  #include <openssl/hmac.h>

- @@ -35,34 +35,137 @@

-  #include <openssl/x509v3.h>

-  

-  #include "pal_crypto_config.h"

- +#define OPENSSL_VERSION_1_1_0_RTM 0x10100000L

- +#define OPENSSL_VERSION_1_0_2_RTM 0x10002000L

- +

- +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM

- +

- +// Remove problematic #defines

- +#undef SSL_get_state

- +#undef SSL_is_init_finished

- +#undef X509_get_X509_PUBKEY

- +#undef X509_get_version

- +

- +#endif

- +

- +#ifdef EVP_MD_CTX_create

- +#undef EVP_MD_CTX_create

- +#undef EVP_MD_CTX_init

- +#undef EVP_MD_CTX_destroy

- +#undef SSLv23_method

- +#endif

- +

- +#if defined FEATURE_DISTRO_AGNOSTIC_SSL || OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM

- +#include "apibridge.h"

- +#endif

-  

-  #ifdef FEATURE_DISTRO_AGNOSTIC_SSL

-  

- +#define NEED_OPENSSL_1_0 true

- +#define NEED_OPENSSL_1_1 true

- +

-  #if !HAVE_OPENSSL_EC2M

-  // In portable build, we need to support the following functions even if they were not present

-  // on the build OS. The shim will detect their presence at runtime.

-  #undef HAVE_OPENSSL_EC2M

-  #define HAVE_OPENSSL_EC2M 1

- -const EC_METHOD *EC_GF2m_simple_method(void);

- -int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);

- -int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);

- -int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,

- -        const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);

- -int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,

- -        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);

- +extern "C" const EC_METHOD* EC_GF2m_simple_method(void);

- +extern "C" int EC_GROUP_get_curve_GF2m(const EC_GROUP* group, BIGNUM* p, BIGNUM* a, BIGNUM* b, BN_CTX* ctx);

- +extern "C" int EC_GROUP_set_curve_GF2m(EC_GROUP* group, const BIGNUM* p, const BIGNUM* a, const BIGNUM* b, BN_CTX* ctx);

- +extern "C" int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP* group, const EC_POINT* p, BIGNUM* x, BIGNUM* y, BN_CTX* ctx);

- +extern "C" int EC_POINT_set_affine_coordinates_GF2m(

- +    const EC_GROUP* group, EC_POINT* p, const BIGNUM* x, const BIGNUM* y, BN_CTX* ctx);

- +#endif

- +#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_1_1_0_RTM

- +typedef struct stack_st _STACK;

- +extern "C" ASN1_STRING* d2i_ASN1_type_bytes(ASN1_STRING** a, const unsigned char** pp, long length, int type);

- +extern "C" int CRYPTO_add_lock(int* pointer, int amount, int type, const char* file, int line);

- +extern "C" int CRYPTO_num_locks(void);

- +extern "C" void CRYPTO_set_locking_callback(void (*func)(int mode, int type, const char* file, int line));

- +extern "C" void ERR_load_crypto_strings(void);

- +extern "C" int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX* a);

- +extern "C" int EVP_CIPHER_CTX_init(EVP_CIPHER_CTX* a);

- +extern "C" void HMAC_CTX_cleanup(HMAC_CTX* ctx);

- +extern "C" void HMAC_CTX_init(HMAC_CTX* ctx);

- +extern "C" void OPENSSL_add_all_algorithms_conf(void);

- +extern "C" int SSL_library_init(void);

- +extern "C" void SSL_load_error_strings(void);

- +extern "C" int SSL_state(const SSL* ssl);

- +extern "C" const char* SSLeay_version(int t);

- +#else

- +typedef struct ossl_init_settings_st OPENSSL_INIT_SETTINGS;

- +typedef struct stack_st OPENSSL_STACK;

- +

- +#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0x00000002L

- +#define OPENSSL_INIT_ADD_ALL_CIPHERS 0x00000004L

- +#define OPENSSL_INIT_ADD_ALL_DIGESTS 0x00000008L

- +#define OPENSSL_INIT_LOAD_CONFIG 0x00000040L

- +#define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L

- +

- +extern "C" const BIGNUM* DSA_get0_key(const DSA* dsa, const BIGNUM** pubKey, const BIGNUM** privKey);

- +extern "C" void DSA_get0_pqg(const DSA* dsa, const BIGNUM** p, const BIGNUM** q, const BIGNUM** g);

- +extern "C" const DSA_METHOD* DSA_get_method(const DSA* dsa);

- +extern "C" int32_t DSA_set0_key(DSA* dsa, BIGNUM* bnY, BIGNUM* bnX);

- +extern "C" int32_t DSA_set0_pqg(DSA* dsa, BIGNUM* bnP, BIGNUM* bnQ, BIGNUM* bnG);

- +extern "C" void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX* ctx);

- +extern "C" EVP_CIPHER_CTX* EVP_CIPHER_CTX_new(void);

- +extern "C" int32_t EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX* ctx);

- +extern "C" void EVP_MD_CTX_free(EVP_MD_CTX* ctx);

- +extern "C" EVP_MD_CTX* EVP_MD_CTX_new(void);

- +extern "C" int32_t EVP_PKEY_up_ref(EVP_PKEY* pkey);

- +extern "C" void HMAC_CTX_free(HMAC_CTX* ctx);

- +extern "C" HMAC_CTX* HMAC_CTX_new(void);

- +extern "C" int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS* settings);

- +extern "C" void OPENSSL_sk_free(OPENSSL_STACK*);

- +extern "C" OPENSSL_STACK* OPENSSL_sk_new_null(void);

- +extern "C" int OPENSSL_sk_num(const OPENSSL_STACK*);

- +extern "C" void OPENSSL_sk_pop_free(OPENSSL_STACK* st, void (*func)(void*));

- +extern "C" int OPENSSL_sk_push(OPENSSL_STACK* st, const void* data);

- +extern "C" void* OPENSSL_sk_value(const OPENSSL_STACK*, int);

- +extern "C" const char* OpenSSL_version(int type);

- +extern "C" unsigned long OpenSSL_version_num();

- +extern "C" void RSA_get0_crt_params(const RSA* rsa, const BIGNUM** dmp1, const BIGNUM** dmq1, const BIGNUM** iqmp);

- +extern "C" void RSA_get0_factors(const RSA* rsa, const BIGNUM** p, const BIGNUM** q);

- +extern "C" void RSA_get0_key(const RSA* rsa, const BIGNUM** n, const BIGNUM** e, const BIGNUM** d);

- +extern "C" int32_t RSA_meth_get_flags(const RSA_METHOD* meth);

- +extern "C" int32_t RSA_set0_crt_params(RSA* rsa, BIGNUM* dmp1, BIGNUM* dmq1, BIGNUM* iqmp);

- +extern "C" int32_t RSA_set0_factors(RSA* rsa, BIGNUM* p, BIGNUM* q);

- +extern "C" int32_t RSA_set0_key(RSA* rsa, BIGNUM* n, BIGNUM* e, BIGNUM* d);

- +extern "C" int32_t SSL_is_init_finished(SSL* ssl);

- +#undef SSL_CTX_set_options

- +extern "C" unsigned long SSL_CTX_set_options(SSL_CTX* ctx, unsigned long options);

- +extern "C" void SSL_CTX_set_security_level(SSL_CTX* ctx, int32_t level);

- +#undef SSL_session_reused

- +extern "C" int SSL_session_reused(SSL* ssl);

- +extern "C" const SSL_METHOD* TLS_method(void);

- +extern "C" const ASN1_TIME* X509_CRL_get0_nextUpdate(const X509_CRL* crl);

- +extern "C" int32_t X509_NAME_get0_der(X509_NAME* x509Name, const uint8_t** pder, size_t* pderlen);

- +extern "C" int32_t X509_PUBKEY_get0_param(

- +    ASN1_OBJECT** palgOid, const uint8_t** pkeyBytes, int* pkeyBytesLen, X509_ALGOR** palg, X509_PUBKEY* pubkey);

- +extern "C" X509* X509_STORE_CTX_get0_cert(X509_STORE_CTX* ctx);

- +extern "C" STACK_OF(X509) * X509_STORE_CTX_get0_untrusted(X509_STORE_CTX* ctx);

- +extern "C" const ASN1_TIME* X509_get0_notAfter(const X509* x509);

- +extern "C" const ASN1_TIME* X509_get0_notBefore(const X509* x509);

- +extern "C" ASN1_BIT_STRING* X509_get0_pubkey_bitstr(const X509* x509);

- +extern "C" const X509_ALGOR* X509_get0_tbs_sigalg(const X509* x509);

- +extern "C" X509_PUBKEY* X509_get_X509_PUBKEY(const X509* x509);

- +extern "C" int32_t X509_get_version(const X509* x509);

- +extern "C" int32_t X509_up_ref(X509* x509);

-  #endif

-  

-  #if !HAVE_OPENSSL_ALPN

-  #undef HAVE_OPENSSL_ALPN

-  #define HAVE_OPENSSL_ALPN 1

- -int SSL_CTX_set_alpn_protos(SSL_CTX* ctx, const unsigned char* protos, unsigned int protos_len);

- -void SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx, int (*cb) (SSL *ssl,

- -                                            const unsigned char **out,

- -                                            unsigned char *outlen,

- -                                            const unsigned char *in,

- -                                            unsigned int inlen,

- -                                            void *arg), void *arg);

- -void SSL_get0_alpn_selected(const SSL* ssl, const unsigned char** protocol, unsigned int* len);

- +extern "C" int SSL_CTX_set_alpn_protos(SSL_CTX* ctx, const unsigned char* protos, unsigned int protos_len);

- +extern "C" void SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx,

- +                                int (*cb)(SSL* ssl,

- +                                          const unsigned char** out,

- +                                          unsigned char* outlen,

- +                                          const unsigned char* in,

- +                                          unsigned int inlen,

- +                                          void* arg),

- +                                void* arg);

- +extern "C" void SSL_get0_alpn_selected(const SSL* ssl, const unsigned char** protocol, unsigned int* len);

-  #endif

-  

-  #define API_EXISTS(fn) (fn != nullptr)

- @@ -70,304 +173,350 @@ void SSL_get0_alpn_selected(const SSL* ssl, const unsigned char** protocol, unsi

-  // List of all functions from the libssl that are used in the System.Security.Cryptography.Native.

-  // Forgetting to add a function here results in build failure with message reporting the function

-  // that needs to be added.

- +

-  #define FOR_ALL_OPENSSL_FUNCTIONS \

- -    PER_FUNCTION_BLOCK(ASN1_BIT_STRING_free, true) \

- -    PER_FUNCTION_BLOCK(ASN1_INTEGER_get, true) \

- -    PER_FUNCTION_BLOCK(ASN1_OBJECT_free, true) \

- -    PER_FUNCTION_BLOCK(ASN1_OCTET_STRING_free, true) \

- -    PER_FUNCTION_BLOCK(ASN1_OCTET_STRING_new, true) \

- -    PER_FUNCTION_BLOCK(ASN1_OCTET_STRING_set, true) \

- -    PER_FUNCTION_BLOCK(ASN1_STRING_free, true) \

- -    PER_FUNCTION_BLOCK(ASN1_STRING_print_ex, true) \

- -    PER_FUNCTION_BLOCK(BASIC_CONSTRAINTS_free, true) \

- -    PER_FUNCTION_BLOCK(BIO_ctrl, true) \

- -    PER_FUNCTION_BLOCK(BIO_ctrl_pending, true) \

- -    PER_FUNCTION_BLOCK(BIO_free, true) \

- -    PER_FUNCTION_BLOCK(BIO_gets, true) \

- -    PER_FUNCTION_BLOCK(BIO_new, true) \

- -    PER_FUNCTION_BLOCK(BIO_new_file, true) \

- -    PER_FUNCTION_BLOCK(BIO_read, true) \

- -    PER_FUNCTION_BLOCK(BIO_s_mem, true) \

- -    PER_FUNCTION_BLOCK(BIO_write, true) \

- -    PER_FUNCTION_BLOCK(BN_bin2bn, true) \

- -    PER_FUNCTION_BLOCK(BN_bn2bin, true) \

- -    PER_FUNCTION_BLOCK(BN_clear_free, true) \

- -    PER_FUNCTION_BLOCK(BN_free, true) \

- -    PER_FUNCTION_BLOCK(BN_new, true) \

- -    PER_FUNCTION_BLOCK(BN_num_bits, true) \

- -    PER_FUNCTION_BLOCK(CRYPTO_add_lock, true) \

- -    PER_FUNCTION_BLOCK(CRYPTO_num_locks, true) \

- -    PER_FUNCTION_BLOCK(CRYPTO_set_locking_callback, true) \

- -    PER_FUNCTION_BLOCK(d2i_ASN1_BIT_STRING, true) \

- -    PER_FUNCTION_BLOCK(d2i_ASN1_OCTET_STRING, true) \

- -    PER_FUNCTION_BLOCK(d2i_ASN1_type_bytes, true) \

- -    PER_FUNCTION_BLOCK(d2i_BASIC_CONSTRAINTS, true) \

- -    PER_FUNCTION_BLOCK(d2i_EXTENDED_KEY_USAGE, true) \

- -    PER_FUNCTION_BLOCK(d2i_PKCS12, true) \

- -    PER_FUNCTION_BLOCK(d2i_PKCS12_bio, true) \

- -    PER_FUNCTION_BLOCK(d2i_PKCS7, true) \

- -    PER_FUNCTION_BLOCK(d2i_PKCS7_bio, true) \

- -    PER_FUNCTION_BLOCK(d2i_RSAPublicKey, true) \

- -    PER_FUNCTION_BLOCK(d2i_X509, true) \

- -    PER_FUNCTION_BLOCK(d2i_X509_bio, true) \

- -    PER_FUNCTION_BLOCK(d2i_X509_CRL, true) \

- -    PER_FUNCTION_BLOCK(d2i_X509_NAME, true) \

- -    PER_FUNCTION_BLOCK(DSA_free, true) \

- -    PER_FUNCTION_BLOCK(DSA_generate_key, true) \

- -    PER_FUNCTION_BLOCK(DSA_generate_parameters_ex, true) \

- -    PER_FUNCTION_BLOCK(DSA_new, true) \

- -    PER_FUNCTION_BLOCK(DSA_OpenSSL, true) \

- -    PER_FUNCTION_BLOCK(DSA_sign, true) \

- -    PER_FUNCTION_BLOCK(DSA_size, true) \

- -    PER_FUNCTION_BLOCK(DSA_up_ref, true) \

- -    PER_FUNCTION_BLOCK(DSA_verify, true) \

- -    PER_FUNCTION_BLOCK(ECDSA_sign, true) \

- -    PER_FUNCTION_BLOCK(ECDSA_size, true) \

- -    PER_FUNCTION_BLOCK(ECDSA_verify, true) \

- -    PER_FUNCTION_BLOCK(EC_GFp_mont_method, true) \

- -    PER_FUNCTION_BLOCK(EC_GFp_simple_method, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_check, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_free, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_get0_generator, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_get0_seed, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_get_cofactor, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_get_curve_GFp, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_get_curve_name, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_get_degree, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_get_order, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_get_seed_len, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_method_of, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_new, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_set_curve_GFp, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_set_generator, true) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_set_seed, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_check_key, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_free, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_generate_key, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_get0_group, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_get0_private_key, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_get0_public_key, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_new, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_new_by_curve_name, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_set_group, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_set_private_key, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_set_public_key_affine_coordinates, true) \

- -    PER_FUNCTION_BLOCK(EC_KEY_up_ref, true) \

- -    PER_FUNCTION_BLOCK(EC_METHOD_get_field_type, true) \

- -    PER_FUNCTION_BLOCK(EC_POINT_free, true) \

- -    PER_FUNCTION_BLOCK(EC_POINT_get_affine_coordinates_GFp, true) \

- -    PER_FUNCTION_BLOCK(EC_POINT_new, true) \

- -    PER_FUNCTION_BLOCK(EC_POINT_set_affine_coordinates_GFp, true) \

- -    PER_FUNCTION_BLOCK(ERR_clear_error, true) \

- -    PER_FUNCTION_BLOCK(ERR_error_string_n, true) \

- -    PER_FUNCTION_BLOCK(ERR_get_error, true) \

- -    PER_FUNCTION_BLOCK(ERR_load_crypto_strings, true) \

- -    PER_FUNCTION_BLOCK(ERR_put_error, true) \

- -    PER_FUNCTION_BLOCK(ERR_peek_error, true) \

- -    PER_FUNCTION_BLOCK(ERR_peek_last_error, true) \

- -    PER_FUNCTION_BLOCK(ERR_reason_error_string, true) \

- -    PER_FUNCTION_BLOCK(EVP_aes_128_cbc, true) \

- -    PER_FUNCTION_BLOCK(EVP_aes_128_ecb, true) \

- -    PER_FUNCTION_BLOCK(EVP_aes_192_cbc, true) \

- -    PER_FUNCTION_BLOCK(EVP_aes_192_ecb, true) \

- -    PER_FUNCTION_BLOCK(EVP_aes_256_cbc, true) \

- -    PER_FUNCTION_BLOCK(EVP_aes_256_ecb, true) \

- -    PER_FUNCTION_BLOCK(EVP_CIPHER_CTX_cleanup, true) \

- -    PER_FUNCTION_BLOCK(EVP_CIPHER_CTX_ctrl, true) \

- -    PER_FUNCTION_BLOCK(EVP_CIPHER_CTX_init, true) \

- -    PER_FUNCTION_BLOCK(EVP_CIPHER_CTX_set_key_length, true) \

- -    PER_FUNCTION_BLOCK(EVP_CIPHER_CTX_set_padding, true) \

- -    PER_FUNCTION_BLOCK(EVP_CipherFinal_ex, true) \

- -    PER_FUNCTION_BLOCK(EVP_CipherInit_ex, true) \

- -    PER_FUNCTION_BLOCK(EVP_CipherUpdate, true) \

- -    PER_FUNCTION_BLOCK(EVP_des_cbc, true) \

- -    PER_FUNCTION_BLOCK(EVP_des_ecb, true) \

- -    PER_FUNCTION_BLOCK(EVP_des_ede3, true) \

- -    PER_FUNCTION_BLOCK(EVP_des_ede3_cbc, true) \

- -    PER_FUNCTION_BLOCK(EVP_DigestFinal_ex, true) \

- -    PER_FUNCTION_BLOCK(EVP_DigestInit_ex, true) \

- -    PER_FUNCTION_BLOCK(EVP_DigestUpdate, true) \

- -    PER_FUNCTION_BLOCK(EVP_get_digestbyname, true) \

- -    PER_FUNCTION_BLOCK(EVP_md5, true) \

- -    PER_FUNCTION_BLOCK(EVP_MD_CTX_create, true) \

- -    PER_FUNCTION_BLOCK(EVP_MD_CTX_destroy, true) \

- -    PER_FUNCTION_BLOCK(EVP_MD_size, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_CTX_free, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_CTX_new, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_derive_set_peer, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_derive_init, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_derive, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_free, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_get1_DSA, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_get1_EC_KEY, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_get1_RSA, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_new, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_set1_DSA, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_set1_EC_KEY, true) \

- -    PER_FUNCTION_BLOCK(EVP_PKEY_set1_RSA, true) \

- -    PER_FUNCTION_BLOCK(EVP_rc2_cbc, true) \

- -    PER_FUNCTION_BLOCK(EVP_rc2_ecb, true) \

- -    PER_FUNCTION_BLOCK(EVP_sha1, true) \

- -    PER_FUNCTION_BLOCK(EVP_sha256, true) \

- -    PER_FUNCTION_BLOCK(EVP_sha384, true) \

- -    PER_FUNCTION_BLOCK(EVP_sha512, true) \

- -    PER_FUNCTION_BLOCK(EXTENDED_KEY_USAGE_free, true) \

- -    PER_FUNCTION_BLOCK(GENERAL_NAMES_free, true) \

- -    PER_FUNCTION_BLOCK(HMAC_CTX_cleanup, true) \

- -    PER_FUNCTION_BLOCK(HMAC_CTX_init, true) \

- -    PER_FUNCTION_BLOCK(HMAC_Final, true) \

- -    PER_FUNCTION_BLOCK(HMAC_Init_ex, true) \

- -    PER_FUNCTION_BLOCK(HMAC_Update, true) \

- -    PER_FUNCTION_BLOCK(i2d_ASN1_INTEGER, true) \

- -    PER_FUNCTION_BLOCK(i2d_ASN1_TYPE, true) \

- -    PER_FUNCTION_BLOCK(i2d_PKCS12, true) \

- -    PER_FUNCTION_BLOCK(i2d_PKCS7, true) \

- -    PER_FUNCTION_BLOCK(i2d_X509, true) \

- -    PER_FUNCTION_BLOCK(i2d_X509_PUBKEY, true) \

- -    PER_FUNCTION_BLOCK(OBJ_ln2nid, true) \

- -    PER_FUNCTION_BLOCK(OBJ_nid2ln, true) \

- -    PER_FUNCTION_BLOCK(OBJ_nid2sn, true) \

- -    PER_FUNCTION_BLOCK(OBJ_nid2obj, true) \

- -    PER_FUNCTION_BLOCK(OBJ_obj2nid, true) \

- -    PER_FUNCTION_BLOCK(OBJ_obj2txt, true) \

- -    PER_FUNCTION_BLOCK(OBJ_sn2nid, true) \

- -    PER_FUNCTION_BLOCK(OBJ_txt2nid, true) \

- -    PER_FUNCTION_BLOCK(OBJ_txt2obj, true) \

- -    PER_FUNCTION_BLOCK(OPENSSL_add_all_algorithms_conf, true) \

- -    PER_FUNCTION_BLOCK(OPENSSL_cleanse, true) \

- -    PER_FUNCTION_BLOCK(PEM_read_bio_PKCS7, true) \

- -    PER_FUNCTION_BLOCK(PEM_read_bio_X509_AUX, true) \

- -    PER_FUNCTION_BLOCK(PEM_read_bio_X509_CRL, true) \

- -    PER_FUNCTION_BLOCK(PEM_write_bio_X509_CRL, true) \

- -    PER_FUNCTION_BLOCK(PKCS12_create, true) \

- -    PER_FUNCTION_BLOCK(PKCS12_free, true) \

- -    PER_FUNCTION_BLOCK(PKCS12_parse, true) \

- -    PER_FUNCTION_BLOCK(PKCS7_add_certificate, true) \

- -    PER_FUNCTION_BLOCK(PKCS7_content_new, true) \

- -    PER_FUNCTION_BLOCK(PKCS7_free, true) \

- -    PER_FUNCTION_BLOCK(PKCS7_new, true) \

- -    PER_FUNCTION_BLOCK(PKCS7_set_type, true) \

- -    PER_FUNCTION_BLOCK(RAND_bytes, true) \

- -    PER_FUNCTION_BLOCK(RAND_poll, true) \

- -    PER_FUNCTION_BLOCK(RSA_free, true) \

- -    PER_FUNCTION_BLOCK(RSA_generate_key_ex, true) \

- -    PER_FUNCTION_BLOCK(RSA_get_method, true) \

- -    PER_FUNCTION_BLOCK(RSA_new, true) \

- -    PER_FUNCTION_BLOCK(RSA_private_decrypt, true) \

- -    PER_FUNCTION_BLOCK(RSA_private_encrypt, true) \

- -    PER_FUNCTION_BLOCK(RSA_public_decrypt, true) \

- -    PER_FUNCTION_BLOCK(RSA_public_encrypt, true) \

- -    PER_FUNCTION_BLOCK(RSA_sign, true) \

- -    PER_FUNCTION_BLOCK(RSA_size, true) \

- -    PER_FUNCTION_BLOCK(RSA_up_ref, true) \

- -    PER_FUNCTION_BLOCK(RSA_verify, true) \

- -    PER_FUNCTION_BLOCK(sk_free, true) \

- -    PER_FUNCTION_BLOCK(sk_new_null, true) \

- -    PER_FUNCTION_BLOCK(sk_num, true) \

- -    PER_FUNCTION_BLOCK(sk_pop_free, true) \

- -    PER_FUNCTION_BLOCK(sk_push, true) \

- -    PER_FUNCTION_BLOCK(sk_value, true) \

- -    PER_FUNCTION_BLOCK(SSL_CIPHER_description, true) \

- -    PER_FUNCTION_BLOCK(SSL_ctrl, true) \

- -    PER_FUNCTION_BLOCK(SSL_set_quiet_shutdown, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_check_private_key, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_ctrl, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_free, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_new, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_set_alpn_protos, false) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_set_alpn_select_cb, false) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_set_cert_verify_callback, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_set_cipher_list, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_set_client_cert_cb, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_set_quiet_shutdown, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_set_verify, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_use_certificate, true) \

- -    PER_FUNCTION_BLOCK(SSL_CTX_use_PrivateKey, true) \

- -    PER_FUNCTION_BLOCK(SSL_do_handshake, true) \

- -    PER_FUNCTION_BLOCK(SSL_free, true) \

- -    PER_FUNCTION_BLOCK(SSL_get_client_CA_list, true) \

- -    PER_FUNCTION_BLOCK(SSL_get_current_cipher, true) \

- -    PER_FUNCTION_BLOCK(SSL_get_error, true) \

- -    PER_FUNCTION_BLOCK(SSL_get_finished, true) \

- -    PER_FUNCTION_BLOCK(SSL_get_peer_cert_chain, true) \

- -    PER_FUNCTION_BLOCK(SSL_get_peer_certificate, true) \

- -    PER_FUNCTION_BLOCK(SSL_get_peer_finished, true) \

- -    PER_FUNCTION_BLOCK(SSL_get_SSL_CTX, true) \

- -    PER_FUNCTION_BLOCK(SSL_get_version, true) \

- -    PER_FUNCTION_BLOCK(SSL_get0_alpn_selected, false) \

- -    PER_FUNCTION_BLOCK(SSL_library_init, true) \

- -    PER_FUNCTION_BLOCK(SSL_load_error_strings, true) \

- -    PER_FUNCTION_BLOCK(SSL_new, true) \

- -    PER_FUNCTION_BLOCK(SSL_read, true) \

- -    PER_FUNCTION_BLOCK(SSL_renegotiate_pending, true) \

- -    PER_FUNCTION_BLOCK(SSL_set_accept_state, true) \

- -    PER_FUNCTION_BLOCK(SSL_set_bio, true) \

- -    PER_FUNCTION_BLOCK(SSL_set_connect_state, true) \

- -    PER_FUNCTION_BLOCK(SSL_shutdown, true) \

- -    PER_FUNCTION_BLOCK(SSL_state, true) \

- -    PER_FUNCTION_BLOCK(SSLeay_version, true) \

- -    PER_FUNCTION_BLOCK(SSLv23_method, true) \

- -    PER_FUNCTION_BLOCK(SSL_write, true) \

- -    PER_FUNCTION_BLOCK(TLSv1_1_method, true) \

- -    PER_FUNCTION_BLOCK(TLSv1_2_method, true) \

- -    PER_FUNCTION_BLOCK(TLSv1_method, true) \

- -    PER_FUNCTION_BLOCK(X509_check_issued, true) \

- -    PER_FUNCTION_BLOCK(X509_check_purpose, true) \

- -    PER_FUNCTION_BLOCK(X509_CRL_free, true) \

- -    PER_FUNCTION_BLOCK(X509_digest, true) \

- -    PER_FUNCTION_BLOCK(X509_dup, true) \

- -    PER_FUNCTION_BLOCK(X509_EXTENSION_create_by_OBJ, true) \

- -    PER_FUNCTION_BLOCK(X509_EXTENSION_free, true) \

- -    PER_FUNCTION_BLOCK(X509_EXTENSION_get_critical, true) \

- -    PER_FUNCTION_BLOCK(X509_EXTENSION_get_data, true) \

- -    PER_FUNCTION_BLOCK(X509_EXTENSION_get_object, true) \

- -    PER_FUNCTION_BLOCK(X509_free, true) \

- -    PER_FUNCTION_BLOCK(X509_get_default_cert_dir, true) \

- -    PER_FUNCTION_BLOCK(X509_get_default_cert_dir_env, true) \

- -    PER_FUNCTION_BLOCK(X509_get_default_cert_file, true) \

- -    PER_FUNCTION_BLOCK(X509_get_default_cert_file_env, true) \

- -    PER_FUNCTION_BLOCK(X509_get_ext, true) \

- -    PER_FUNCTION_BLOCK(X509_get_ext_count, true) \

- -    PER_FUNCTION_BLOCK(X509_get_ext_d2i, true) \

- -    PER_FUNCTION_BLOCK(X509_get_issuer_name, true) \

- -    PER_FUNCTION_BLOCK(X509_get_serialNumber, true) \

- -    PER_FUNCTION_BLOCK(X509_get_subject_name, true) \

- -    PER_FUNCTION_BLOCK(X509_issuer_name_hash, true) \

- -    PER_FUNCTION_BLOCK(X509_NAME_entry_count, true) \

- -    PER_FUNCTION_BLOCK(X509_NAME_ENTRY_get_data, true) \

- -    PER_FUNCTION_BLOCK(X509_NAME_ENTRY_get_object, true) \

- -    PER_FUNCTION_BLOCK(X509_NAME_free, true) \

- -    PER_FUNCTION_BLOCK(X509_NAME_get_entry, true) \

- -    PER_FUNCTION_BLOCK(X509_NAME_get_index_by_NID, true) \

- -    PER_FUNCTION_BLOCK(X509_PUBKEY_get, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_add_cert, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_add_crl, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_CTX_free, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_CTX_get0_param, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_CTX_get1_chain, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_CTX_get_error, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_CTX_get_error_depth, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_CTX_init, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_CTX_new, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_CTX_set_flags, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_CTX_set_verify_cb, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_free, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_new, true) \

- -    PER_FUNCTION_BLOCK(X509_STORE_set_flags, true) \

- -    PER_FUNCTION_BLOCK(X509V3_EXT_print, true) \

- -    PER_FUNCTION_BLOCK(X509_verify_cert, true) \

- -    PER_FUNCTION_BLOCK(X509_verify_cert_error_string, true) \

- -    PER_FUNCTION_BLOCK(X509_VERIFY_PARAM_set_time, true) \

- -    PER_FUNCTION_BLOCK(EC_GF2m_simple_method, false) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_get_curve_GF2m, false) \

- -    PER_FUNCTION_BLOCK(EC_GROUP_set_curve_GF2m, false) \

- -    PER_FUNCTION_BLOCK(EC_POINT_get_affine_coordinates_GF2m, false) \

- -    PER_FUNCTION_BLOCK(EC_POINT_set_affine_coordinates_GF2m, false) \

- +    REQUIRED_FUNCTION(ASN1_BIT_STRING_free) \

- +    REQUIRED_FUNCTION(ASN1_INTEGER_get) \

- +    REQUIRED_FUNCTION(ASN1_OBJECT_free) \

- +    REQUIRED_FUNCTION(ASN1_OCTET_STRING_free) \

- +    REQUIRED_FUNCTION(ASN1_OCTET_STRING_new) \

- +    REQUIRED_FUNCTION(ASN1_OCTET_STRING_set) \

- +    REQUIRED_FUNCTION(ASN1_STRING_free) \

- +    REQUIRED_FUNCTION(ASN1_STRING_print_ex) \

- +    REQUIRED_FUNCTION(BASIC_CONSTRAINTS_free) \

- +    REQUIRED_FUNCTION(BIO_ctrl) \

- +    REQUIRED_FUNCTION(BIO_ctrl_pending) \

- +    REQUIRED_FUNCTION(BIO_free) \

- +    REQUIRED_FUNCTION(BIO_gets) \

- +    REQUIRED_FUNCTION(BIO_new) \

- +    REQUIRED_FUNCTION(BIO_new_file) \

- +    REQUIRED_FUNCTION(BIO_read) \

- +    REQUIRED_FUNCTION(BIO_s_mem) \

- +    REQUIRED_FUNCTION(BIO_write) \

- +    REQUIRED_FUNCTION(BN_bin2bn) \

- +    REQUIRED_FUNCTION(BN_bn2bin) \

- +    REQUIRED_FUNCTION(BN_clear_free) \

- +    REQUIRED_FUNCTION(BN_free) \

- +    REQUIRED_FUNCTION(BN_new) \

- +    REQUIRED_FUNCTION(BN_num_bits) \

- +    LEGACY_FUNCTION(CRYPTO_add_lock) \

- +    LEGACY_FUNCTION(CRYPTO_num_locks) \

- +    LEGACY_FUNCTION(CRYPTO_set_locking_callback) \

- +    REQUIRED_FUNCTION(d2i_ASN1_BIT_STRING) \

- +    REQUIRED_FUNCTION(d2i_ASN1_OCTET_STRING) \

- +    LEGACY_FUNCTION(d2i_ASN1_type_bytes) \

- +    REQUIRED_FUNCTION(d2i_BASIC_CONSTRAINTS) \

- +    REQUIRED_FUNCTION(d2i_EXTENDED_KEY_USAGE) \

- +    REQUIRED_FUNCTION(d2i_PKCS12) \

- +    REQUIRED_FUNCTION(d2i_PKCS12_bio) \

- +    REQUIRED_FUNCTION(d2i_PKCS7) \

- +    REQUIRED_FUNCTION(d2i_PKCS7_bio) \

- +    REQUIRED_FUNCTION(d2i_RSAPublicKey) \

- +    REQUIRED_FUNCTION(d2i_X509) \

- +    REQUIRED_FUNCTION(d2i_X509_bio) \

- +    REQUIRED_FUNCTION(d2i_X509_CRL) \

- +    REQUIRED_FUNCTION(d2i_X509_NAME) \

- +    REQUIRED_FUNCTION(DSA_free) \

- +    REQUIRED_FUNCTION(DSA_generate_key) \

- +    REQUIRED_FUNCTION(DSA_generate_parameters_ex) \

- +    FALLBACK_FUNCTION(DSA_get0_key) \

- +    FALLBACK_FUNCTION(DSA_get0_pqg) \

- +    FALLBACK_FUNCTION(DSA_get_method) \

- +    REQUIRED_FUNCTION(DSA_new) \

- +    REQUIRED_FUNCTION(DSA_OpenSSL) \

- +    FALLBACK_FUNCTION(DSA_set0_key) \

- +    FALLBACK_FUNCTION(DSA_set0_pqg) \

- +    REQUIRED_FUNCTION(DSA_sign) \

- +    REQUIRED_FUNCTION(DSA_size) \

- +    REQUIRED_FUNCTION(DSA_up_ref) \

- +    REQUIRED_FUNCTION(DSA_verify) \

- +    REQUIRED_FUNCTION(ECDSA_sign) \

- +    REQUIRED_FUNCTION(ECDSA_size) \

- +    REQUIRED_FUNCTION(ECDSA_verify) \

- +    REQUIRED_FUNCTION(EC_GFp_mont_method) \

- +    REQUIRED_FUNCTION(EC_GFp_simple_method) \

- +    REQUIRED_FUNCTION(EC_GROUP_check) \

- +    REQUIRED_FUNCTION(EC_GROUP_free) \

- +    REQUIRED_FUNCTION(EC_GROUP_get0_generator) \

- +    REQUIRED_FUNCTION(EC_GROUP_get0_seed) \

- +    REQUIRED_FUNCTION(EC_GROUP_get_cofactor) \

- +    REQUIRED_FUNCTION(EC_GROUP_get_curve_GFp) \

- +    REQUIRED_FUNCTION(EC_GROUP_get_curve_name) \

- +    REQUIRED_FUNCTION(EC_GROUP_get_degree) \

- +    REQUIRED_FUNCTION(EC_GROUP_get_order) \

- +    REQUIRED_FUNCTION(EC_GROUP_get_seed_len) \

- +    REQUIRED_FUNCTION(EC_GROUP_method_of) \

- +    REQUIRED_FUNCTION(EC_GROUP_new) \

- +    REQUIRED_FUNCTION(EC_GROUP_set_curve_GFp) \

- +    REQUIRED_FUNCTION(EC_GROUP_set_generator) \

- +    REQUIRED_FUNCTION(EC_GROUP_set_seed) \

- +    REQUIRED_FUNCTION(EC_KEY_check_key) \

- +    REQUIRED_FUNCTION(EC_KEY_free) \

- +    REQUIRED_FUNCTION(EC_KEY_generate_key) \

- +    REQUIRED_FUNCTION(EC_KEY_get0_group) \

- +    REQUIRED_FUNCTION(EC_KEY_get0_private_key) \

- +    REQUIRED_FUNCTION(EC_KEY_get0_public_key) \

- +    REQUIRED_FUNCTION(EC_KEY_new) \

- +    REQUIRED_FUNCTION(EC_KEY_new_by_curve_name) \

- +    REQUIRED_FUNCTION(EC_KEY_set_group) \

- +    REQUIRED_FUNCTION(EC_KEY_set_private_key) \

- +    REQUIRED_FUNCTION(EC_KEY_set_public_key_affine_coordinates) \

- +    REQUIRED_FUNCTION(EC_KEY_up_ref) \

- +    REQUIRED_FUNCTION(EC_METHOD_get_field_type) \

- +    REQUIRED_FUNCTION(EC_POINT_free) \

- +    REQUIRED_FUNCTION(EC_POINT_get_affine_coordinates_GFp) \

- +    REQUIRED_FUNCTION(EC_POINT_new) \

- +    REQUIRED_FUNCTION(EC_POINT_set_affine_coordinates_GFp) \

- +    REQUIRED_FUNCTION(ERR_clear_error) \

- +    REQUIRED_FUNCTION(ERR_error_string_n) \

- +    REQUIRED_FUNCTION(ERR_get_error) \

- +    LEGACY_FUNCTION(ERR_load_crypto_strings) \

- +    REQUIRED_FUNCTION(ERR_put_error) \

- +    REQUIRED_FUNCTION(ERR_peek_error) \

- +    REQUIRED_FUNCTION(ERR_peek_last_error) \

- +    REQUIRED_FUNCTION(ERR_reason_error_string) \

- +    REQUIRED_FUNCTION(EVP_aes_128_cbc) \

- +    REQUIRED_FUNCTION(EVP_aes_128_ecb) \

- +    REQUIRED_FUNCTION(EVP_aes_192_cbc) \

- +    REQUIRED_FUNCTION(EVP_aes_192_ecb) \

- +    REQUIRED_FUNCTION(EVP_aes_256_cbc) \

- +    REQUIRED_FUNCTION(EVP_aes_256_ecb) \

- +    LEGACY_FUNCTION(EVP_CIPHER_CTX_cleanup) \

- +    REQUIRED_FUNCTION(EVP_CIPHER_CTX_ctrl) \

- +    FALLBACK_FUNCTION(EVP_CIPHER_CTX_free) \

- +    LEGACY_FUNCTION(EVP_CIPHER_CTX_init) \

- +    FALLBACK_FUNCTION(EVP_CIPHER_CTX_new) \

- +    FALLBACK_FUNCTION(EVP_CIPHER_CTX_reset) \

- +    REQUIRED_FUNCTION(EVP_CIPHER_CTX_set_key_length) \

- +    REQUIRED_FUNCTION(EVP_CIPHER_CTX_set_padding) \

- +    REQUIRED_FUNCTION(EVP_CipherFinal_ex) \

- +    REQUIRED_FUNCTION(EVP_CipherInit_ex) \

- +    REQUIRED_FUNCTION(EVP_CipherUpdate) \

- +    REQUIRED_FUNCTION(EVP_des_cbc) \

- +    REQUIRED_FUNCTION(EVP_des_ecb) \

- +    REQUIRED_FUNCTION(EVP_des_ede3) \

- +    REQUIRED_FUNCTION(EVP_des_ede3_cbc) \

- +    REQUIRED_FUNCTION(EVP_DigestFinal_ex) \

- +    REQUIRED_FUNCTION(EVP_DigestInit_ex) \

- +    REQUIRED_FUNCTION(EVP_DigestUpdate) \

- +    REQUIRED_FUNCTION(EVP_get_digestbyname) \

- +    REQUIRED_FUNCTION(EVP_md5) \

- +    RENAMED_FUNCTION(EVP_MD_CTX_free, EVP_MD_CTX_destroy) \

- +    RENAMED_FUNCTION(EVP_MD_CTX_new, EVP_MD_CTX_create) \

- +    REQUIRED_FUNCTION(EVP_MD_size) \

- +    REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \

- +    REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \

- +    REQUIRED_FUNCTION(EVP_PKEY_derive_set_peer) \

- +    REQUIRED_FUNCTION(EVP_PKEY_derive_init) \

- +    REQUIRED_FUNCTION(EVP_PKEY_derive) \

- +    REQUIRED_FUNCTION(EVP_PKEY_free) \

- +    REQUIRED_FUNCTION(EVP_PKEY_get1_DSA) \

- +    REQUIRED_FUNCTION(EVP_PKEY_get1_EC_KEY) \

- +    REQUIRED_FUNCTION(EVP_PKEY_get1_RSA) \

- +    REQUIRED_FUNCTION(EVP_PKEY_new) \

- +    REQUIRED_FUNCTION(EVP_PKEY_set1_DSA) \

- +    REQUIRED_FUNCTION(EVP_PKEY_set1_EC_KEY) \

- +    REQUIRED_FUNCTION(EVP_PKEY_set1_RSA) \

- +    FALLBACK_FUNCTION(EVP_PKEY_up_ref) \

- +    REQUIRED_FUNCTION(EVP_rc2_cbc) \

- +    REQUIRED_FUNCTION(EVP_rc2_ecb) \

- +    REQUIRED_FUNCTION(EVP_sha1) \

- +    REQUIRED_FUNCTION(EVP_sha256) \

- +    REQUIRED_FUNCTION(EVP_sha384) \

- +    REQUIRED_FUNCTION(EVP_sha512) \

- +    REQUIRED_FUNCTION(EXTENDED_KEY_USAGE_free) \

- +    REQUIRED_FUNCTION(GENERAL_NAMES_free) \

- +    LEGACY_FUNCTION(HMAC_CTX_cleanup) \

- +    FALLBACK_FUNCTION(HMAC_CTX_free) \

- +    LEGACY_FUNCTION(HMAC_CTX_init) \

- +    FALLBACK_FUNCTION(HMAC_CTX_new) \

- +    REQUIRED_FUNCTION(HMAC_Final) \

- +    REQUIRED_FUNCTION(HMAC_Init_ex) \

- +    REQUIRED_FUNCTION(HMAC_Update) \

- +    REQUIRED_FUNCTION(i2d_ASN1_INTEGER) \

- +    REQUIRED_FUNCTION(i2d_ASN1_TYPE) \

- +    REQUIRED_FUNCTION(i2d_PKCS12) \

- +    REQUIRED_FUNCTION(i2d_PKCS7) \

- +    REQUIRED_FUNCTION(i2d_X509) \

- +    REQUIRED_FUNCTION(i2d_X509_PUBKEY) \

- +    REQUIRED_FUNCTION(OBJ_ln2nid) \

- +    REQUIRED_FUNCTION(OBJ_nid2ln) \

- +    REQUIRED_FUNCTION(OBJ_nid2sn) \

- +    REQUIRED_FUNCTION(OBJ_nid2obj) \

- +    REQUIRED_FUNCTION(OBJ_obj2nid) \

- +    REQUIRED_FUNCTION(OBJ_obj2txt) \

- +    REQUIRED_FUNCTION(OBJ_sn2nid) \

- +    REQUIRED_FUNCTION(OBJ_txt2nid) \

- +    REQUIRED_FUNCTION(OBJ_txt2obj) \

- +    LEGACY_FUNCTION(OPENSSL_add_all_algorithms_conf) \

- +    REQUIRED_FUNCTION(OPENSSL_cleanse) \

- +    NEW_REQUIRED_FUNCTION(OPENSSL_init_ssl) \

- +    RENAMED_FUNCTION(OPENSSL_sk_free, sk_free) \

- +    RENAMED_FUNCTION(OPENSSL_sk_new_null, sk_new_null) \

- +    RENAMED_FUNCTION(OPENSSL_sk_num, sk_num) \

- +    RENAMED_FUNCTION(OPENSSL_sk_pop_free, sk_pop_free) \

- +    RENAMED_FUNCTION(OPENSSL_sk_push, sk_push) \

- +    RENAMED_FUNCTION(OPENSSL_sk_value, sk_value) \

- +    FALLBACK_FUNCTION(OpenSSL_version) \

- +    RENAMED_FUNCTION(OpenSSL_version_num, SSLeay) \

- +    REQUIRED_FUNCTION(PEM_read_bio_PKCS7) \

- +    REQUIRED_FUNCTION(PEM_read_bio_X509_AUX) \

- +    REQUIRED_FUNCTION(PEM_read_bio_X509_CRL) \

- +    REQUIRED_FUNCTION(PEM_write_bio_X509_CRL) \

- +    REQUIRED_FUNCTION(PKCS12_create) \

- +    REQUIRED_FUNCTION(PKCS12_free) \

- +    REQUIRED_FUNCTION(PKCS12_parse) \

- +    REQUIRED_FUNCTION(PKCS7_add_certificate) \

- +    REQUIRED_FUNCTION(PKCS7_free) \

- +    REQUIRED_FUNCTION(PKCS7_new) \

- +    REQUIRED_FUNCTION(PKCS7_set_type) \

- +    REQUIRED_FUNCTION(PKCS7_content_new) \

- +    REQUIRED_FUNCTION(RAND_bytes) \

- +    REQUIRED_FUNCTION(RAND_poll) \

- +    REQUIRED_FUNCTION(RSA_free) \

- +    REQUIRED_FUNCTION(RSA_generate_key_ex) \

- +    REQUIRED_FUNCTION(RSA_get_method) \

- +    FALLBACK_FUNCTION(RSA_get0_crt_params) \

- +    FALLBACK_FUNCTION(RSA_get0_factors) \

- +    FALLBACK_FUNCTION(RSA_get0_key) \

- +    FALLBACK_FUNCTION(RSA_meth_get_flags) \

- +    REQUIRED_FUNCTION(RSA_new) \

- +    REQUIRED_FUNCTION(RSA_private_decrypt) \

- +    REQUIRED_FUNCTION(RSA_private_encrypt) \

- +    REQUIRED_FUNCTION(RSA_public_decrypt) \

- +    REQUIRED_FUNCTION(RSA_public_encrypt) \

- +    FALLBACK_FUNCTION(RSA_set0_crt_params) \

- +    FALLBACK_FUNCTION(RSA_set0_factors) \

- +    FALLBACK_FUNCTION(RSA_set0_key) \

- +    REQUIRED_FUNCTION(RSA_sign) \

- +    REQUIRED_FUNCTION(RSA_size) \

- +    REQUIRED_FUNCTION(RSA_up_ref) \

- +    REQUIRED_FUNCTION(RSA_verify) \

- +    REQUIRED_FUNCTION(SSL_CIPHER_description) \

- +    REQUIRED_FUNCTION(SSL_CIPHER_get_bits) \

- +    REQUIRED_FUNCTION(SSL_ctrl) \

- +    REQUIRED_FUNCTION(SSL_set_quiet_shutdown) \

- +    REQUIRED_FUNCTION(SSL_CTX_check_private_key) \

- +    REQUIRED_FUNCTION(SSL_CTX_ctrl) \

- +    REQUIRED_FUNCTION(SSL_CTX_free) \

- +    FALLBACK_FUNCTION(SSL_is_init_finished) \

- +    REQUIRED_FUNCTION(SSL_CTX_new) \

- +    LIGHTUP_FUNCTION(SSL_CTX_set_alpn_protos) \

- +    LIGHTUP_FUNCTION(SSL_CTX_set_alpn_select_cb) \

- +    REQUIRED_FUNCTION(SSL_CTX_set_cert_verify_callback) \

- +    REQUIRED_FUNCTION(SSL_CTX_set_cipher_list) \

- +    REQUIRED_FUNCTION(SSL_CTX_set_client_cert_cb) \

- +    REQUIRED_FUNCTION(SSL_CTX_set_quiet_shutdown) \

- +    FALLBACK_FUNCTION(SSL_CTX_set_options) \

- +    FALLBACK_FUNCTION(SSL_CTX_set_security_level) \

- +    REQUIRED_FUNCTION(SSL_CTX_set_verify) \

- +    REQUIRED_FUNCTION(SSL_CTX_use_certificate) \

- +    REQUIRED_FUNCTION(SSL_CTX_use_PrivateKey) \

- +    REQUIRED_FUNCTION(SSL_do_handshake) \

- +    REQUIRED_FUNCTION(SSL_free) \

- +    REQUIRED_FUNCTION(SSL_get_client_CA_list) \

- +    REQUIRED_FUNCTION(SSL_get_current_cipher) \

- +    REQUIRED_FUNCTION(SSL_get_error) \

- +    REQUIRED_FUNCTION(SSL_get_finished) \

- +    REQUIRED_FUNCTION(SSL_get_peer_cert_chain) \

- +    REQUIRED_FUNCTION(SSL_get_peer_certificate) \

- +    REQUIRED_FUNCTION(SSL_get_peer_finished) \

- +    REQUIRED_FUNCTION(SSL_get_SSL_CTX) \

- +    REQUIRED_FUNCTION(SSL_get_version) \

- +    LIGHTUP_FUNCTION(SSL_get0_alpn_selected) \

- +    LEGACY_FUNCTION(SSL_library_init) \

- +    LEGACY_FUNCTION(SSL_load_error_strings) \

- +    REQUIRED_FUNCTION(SSL_new) \

- +    REQUIRED_FUNCTION(SSL_read) \

- +    REQUIRED_FUNCTION(SSL_renegotiate_pending) \

- +    FALLBACK_FUNCTION(SSL_session_reused) \

- +    REQUIRED_FUNCTION(SSL_set_accept_state) \

- +    REQUIRED_FUNCTION(SSL_set_bio) \

- +    REQUIRED_FUNCTION(SSL_set_connect_state) \

- +    REQUIRED_FUNCTION(SSL_shutdown) \

- +    LEGACY_FUNCTION(SSL_state) \

- +    LEGACY_FUNCTION(SSLeay_version) \

- +    RENAMED_FUNCTION(TLS_method, SSLv23_method) \

- +    REQUIRED_FUNCTION(SSL_write) \

- +    REQUIRED_FUNCTION(X509_check_issued) \

- +    REQUIRED_FUNCTION(X509_check_purpose) \

- +    REQUIRED_FUNCTION(X509_CRL_free) \

- +    FALLBACK_FUNCTION(X509_CRL_get0_nextUpdate) \

- +    REQUIRED_FUNCTION(X509_digest) \

- +    REQUIRED_FUNCTION(X509_dup) \

- +    REQUIRED_FUNCTION(X509_EXTENSION_create_by_OBJ) \

- +    REQUIRED_FUNCTION(X509_EXTENSION_free) \

- +    REQUIRED_FUNCTION(X509_EXTENSION_get_critical) \

- +    REQUIRED_FUNCTION(X509_EXTENSION_get_data) \

- +    REQUIRED_FUNCTION(X509_EXTENSION_get_object) \

- +    REQUIRED_FUNCTION(X509_free) \

- +    REQUIRED_FUNCTION(X509_get_default_cert_dir) \

- +    REQUIRED_FUNCTION(X509_get_default_cert_dir_env) \

- +    REQUIRED_FUNCTION(X509_get_default_cert_file) \

- +    REQUIRED_FUNCTION(X509_get_default_cert_file_env) \

- +    REQUIRED_FUNCTION(X509_get_ext) \

- +    REQUIRED_FUNCTION(X509_get_ext_count) \

- +    REQUIRED_FUNCTION(X509_get_ext_d2i) \

- +    REQUIRED_FUNCTION(X509_get_issuer_name) \

- +    REQUIRED_FUNCTION(X509_get_serialNumber) \

- +    REQUIRED_FUNCTION(X509_get_subject_name) \

- +    FALLBACK_FUNCTION(X509_get_version) \

- +    FALLBACK_FUNCTION(X509_get_X509_PUBKEY) \

- +    FALLBACK_FUNCTION(X509_get0_notBefore) \

- +    FALLBACK_FUNCTION(X509_get0_notAfter) \

- +    FALLBACK_FUNCTION(X509_get0_pubkey_bitstr) \

- +    FALLBACK_FUNCTION(X509_get0_tbs_sigalg) \

- +    REQUIRED_FUNCTION(X509_issuer_name_hash) \

- +    REQUIRED_FUNCTION(X509_NAME_entry_count) \

- +    REQUIRED_FUNCTION(X509_NAME_ENTRY_get_data) \

- +    REQUIRED_FUNCTION(X509_NAME_ENTRY_get_object) \

- +    REQUIRED_FUNCTION(X509_NAME_free) \

- +    REQUIRED_FUNCTION(X509_NAME_get_entry) \

- +    REQUIRED_FUNCTION(X509_NAME_get_index_by_NID) \

- +    FALLBACK_FUNCTION(X509_NAME_get0_der) \

- +    REQUIRED_FUNCTION(X509_PUBKEY_get) \

- +    FALLBACK_FUNCTION(X509_PUBKEY_get0_param) \

- +    REQUIRED_FUNCTION(X509_STORE_add_cert) \

- +    REQUIRED_FUNCTION(X509_STORE_add_crl) \

- +    REQUIRED_FUNCTION(X509_STORE_CTX_free) \

- +    REQUIRED_FUNCTION(X509_STORE_CTX_get0_param) \

- +    REQUIRED_FUNCTION(X509_STORE_CTX_get1_chain) \

- +    REQUIRED_FUNCTION(X509_STORE_CTX_get_error) \

- +    REQUIRED_FUNCTION(X509_STORE_CTX_get_error_depth) \

- +    FALLBACK_FUNCTION(X509_STORE_CTX_get0_cert) \

- +    FALLBACK_FUNCTION(X509_STORE_CTX_get0_untrusted) \

- +    REQUIRED_FUNCTION(X509_STORE_CTX_init) \

- +    REQUIRED_FUNCTION(X509_STORE_CTX_new) \

- +    REQUIRED_FUNCTION(X509_STORE_CTX_set_flags) \

- +    REQUIRED_FUNCTION(X509_STORE_CTX_set_verify_cb) \

- +    REQUIRED_FUNCTION(X509_STORE_free) \

- +    REQUIRED_FUNCTION(X509_STORE_new) \

- +    REQUIRED_FUNCTION(X509_STORE_set_flags) \

- +    REQUIRED_FUNCTION(X509V3_EXT_print) \

- +    FALLBACK_FUNCTION(X509_up_ref) \

- +    REQUIRED_FUNCTION(X509_verify_cert) \

- +    REQUIRED_FUNCTION(X509_verify_cert_error_string) \

- +    REQUIRED_FUNCTION(X509_VERIFY_PARAM_set_time) \

- +    LIGHTUP_FUNCTION(EC_GF2m_simple_method) \

- +    LIGHTUP_FUNCTION(EC_GROUP_get_curve_GF2m) \

- +    LIGHTUP_FUNCTION(EC_GROUP_set_curve_GF2m) \

- +    LIGHTUP_FUNCTION(EC_POINT_get_affine_coordinates_GF2m) \

- +    LIGHTUP_FUNCTION(EC_POINT_set_affine_coordinates_GF2m) \

-      

-  // Declare pointers to all the used OpenSSL functions

- -#define PER_FUNCTION_BLOCK(fn, isRequired) extern decltype(fn)* fn##_ptr;

- +#define REQUIRED_FUNCTION(fn) extern "C" __typeof(fn)* fn##_ptr;

- +#define NEW_REQUIRED_FUNCTION(fn) extern "C" __typeof(fn)* fn##_ptr;

- +#define LIGHTUP_FUNCTION(fn) extern "C" __typeof(fn)* fn##_ptr;

- +#define FALLBACK_FUNCTION(fn) extern "C" __typeof(fn)* fn##_ptr;

- +#define RENAMED_FUNCTION(fn,oldfn) extern "C" __typeof(fn)* fn##_ptr;

- +#define LEGACY_FUNCTION(fn) extern "C" __typeof(fn)* fn##_ptr;

-  FOR_ALL_OPENSSL_FUNCTIONS

- -#undef PER_FUNCTION_BLOCK

- +#undef LEGACY_FUNCTION

- +#undef RENAMED_FUNCTION

- +#undef FALLBACK_FUNCTION

- +#undef LIGHTUP_FUNCTION

- +#undef NEW_REQUIRED_FUNCTION

- +#undef REQUIRED_FUNCTION

-  

-  // Redefine all calls to OpenSSL functions as calls through pointers that are set

-  // to the functions from the libssl.so selected by the shim.

- @@ -415,8 +564,13 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define DSA_free DSA_free_ptr

-  #define DSA_generate_key DSA_generate_key_ptr

-  #define DSA_generate_parameters_ex DSA_generate_parameters_ex_ptr

- +#define DSA_get0_key DSA_get0_key_ptr

- +#define DSA_get0_pqg DSA_get0_pqg_ptr

- +#define DSA_get_method DSA_get_method_ptr

-  #define DSA_new DSA_new_ptr

-  #define DSA_OpenSSL DSA_OpenSSL_ptr

- +#define DSA_set0_key DSA_set0_key_ptr

- +#define DSA_set0_pqg DSA_set0_pqg_ptr

-  #define DSA_sign DSA_sign_ptr

-  #define DSA_size DSA_size_ptr

-  #define DSA_up_ref DSA_up_ref_ptr

- @@ -474,7 +628,10 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define EVP_aes_256_ecb EVP_aes_256_ecb_ptr

-  #define EVP_CIPHER_CTX_cleanup EVP_CIPHER_CTX_cleanup_ptr

-  #define EVP_CIPHER_CTX_ctrl EVP_CIPHER_CTX_ctrl_ptr

- +#define EVP_CIPHER_CTX_free EVP_CIPHER_CTX_free_ptr

-  #define EVP_CIPHER_CTX_init EVP_CIPHER_CTX_init_ptr

- +#define EVP_CIPHER_CTX_new EVP_CIPHER_CTX_new_ptr

- +#define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_reset_ptr

-  #define EVP_CIPHER_CTX_set_key_length EVP_CIPHER_CTX_set_key_length_ptr

-  #define EVP_CIPHER_CTX_set_padding EVP_CIPHER_CTX_set_padding_ptr

-  #define EVP_CipherFinal_ex EVP_CipherFinal_ex_ptr

- @@ -489,8 +646,8 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define EVP_DigestUpdate EVP_DigestUpdate_ptr

-  #define EVP_get_digestbyname EVP_get_digestbyname_ptr

-  #define EVP_md5 EVP_md5_ptr

- -#define EVP_MD_CTX_create EVP_MD_CTX_create_ptr

- -#define EVP_MD_CTX_destroy EVP_MD_CTX_destroy_ptr

- +#define EVP_MD_CTX_free EVP_MD_CTX_free_ptr

- +#define EVP_MD_CTX_new EVP_MD_CTX_new_ptr

-  #define EVP_MD_size EVP_MD_size_ptr

-  #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr

-  #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr

- @@ -505,6 +662,7 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define EVP_PKEY_set1_DSA EVP_PKEY_set1_DSA_ptr

-  #define EVP_PKEY_set1_EC_KEY EVP_PKEY_set1_EC_KEY_ptr

-  #define EVP_PKEY_set1_RSA EVP_PKEY_set1_RSA_ptr

- +#define EVP_PKEY_up_ref EVP_PKEY_up_ref_ptr

-  #define EVP_rc2_cbc EVP_rc2_cbc_ptr

-  #define EVP_rc2_ecb EVP_rc2_ecb_ptr

-  #define EVP_sha1 EVP_sha1_ptr

- @@ -514,7 +672,9 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define EXTENDED_KEY_USAGE_free EXTENDED_KEY_USAGE_free_ptr

-  #define GENERAL_NAMES_free GENERAL_NAMES_free_ptr

-  #define HMAC_CTX_cleanup HMAC_CTX_cleanup_ptr

- +#define HMAC_CTX_free HMAC_CTX_free_ptr

-  #define HMAC_CTX_init HMAC_CTX_init_ptr

- +#define HMAC_CTX_new HMAC_CTX_new_ptr

-  #define HMAC_Final HMAC_Final_ptr

-  #define HMAC_Init_ex HMAC_Init_ex_ptr

-  #define HMAC_Update HMAC_Update_ptr

- @@ -535,6 +695,15 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define OBJ_txt2obj OBJ_txt2obj_ptr

-  #define OPENSSL_add_all_algorithms_conf OPENSSL_add_all_algorithms_conf_ptr

-  #define OPENSSL_cleanse OPENSSL_cleanse_ptr

- +#define OPENSSL_init_ssl OPENSSL_init_ssl_ptr

- +#define OPENSSL_sk_free OPENSSL_sk_free_ptr

- +#define OPENSSL_sk_new_null OPENSSL_sk_new_null_ptr

- +#define OPENSSL_sk_num OPENSSL_sk_num_ptr

- +#define OPENSSL_sk_pop_free OPENSSL_sk_pop_free_ptr

- +#define OPENSSL_sk_push OPENSSL_sk_push_ptr

- +#define OPENSSL_sk_value OPENSSL_sk_value_ptr

- +#define OpenSSL_version OpenSSL_version_ptr

- +#define OpenSSL_version_num OpenSSL_version_num_ptr

-  #define PEM_read_bio_PKCS7 PEM_read_bio_PKCS7_ptr

-  #define PEM_read_bio_X509_AUX PEM_read_bio_X509_AUX_ptr

-  #define PEM_read_bio_X509_CRL PEM_read_bio_X509_CRL_ptr

- @@ -551,22 +720,30 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define RAND_poll RAND_poll_ptr

-  #define RSA_free RSA_free_ptr

-  #define RSA_generate_key_ex RSA_generate_key_ex_ptr

- +#define RSA_get0_crt_params RSA_get0_crt_params_ptr

- +#define RSA_get0_factors RSA_get0_factors_ptr

- +#define RSA_get0_key RSA_get0_key_ptr

-  #define RSA_get_method RSA_get_method_ptr

- +#define RSA_meth_get_flags RSA_meth_get_flags_ptr

-  #define RSA_new RSA_new_ptr

-  #define RSA_private_decrypt RSA_private_decrypt_ptr

-  #define RSA_private_encrypt RSA_private_encrypt_ptr

-  #define RSA_public_decrypt RSA_public_decrypt_ptr

-  #define RSA_public_encrypt RSA_public_encrypt_ptr

- +#define RSA_set0_crt_params RSA_set0_crt_params_ptr

- +#define RSA_set0_factors RSA_set0_factors_ptr

- +#define RSA_set0_key RSA_set0_key_ptr

-  #define RSA_sign RSA_sign_ptr

-  #define RSA_size RSA_size_ptr

-  #define RSA_up_ref RSA_up_ref_ptr

-  #define RSA_verify RSA_verify_ptr

- -#define sk_free sk_free_ptr

- -#define sk_new_null sk_new_null_ptr

- -#define sk_num sk_num_ptr

- -#define sk_pop_free sk_pop_free_ptr

- -#define sk_push sk_push_ptr

- -#define sk_value sk_value_ptr

- +#define sk_free OPENSSL_sk_free_ptr

- +#define sk_new_null OPENSSL_sk_new_null_ptr

- +#define sk_num OPENSSL_sk_num_ptr

- +#define sk_pop_free OPENSSL_sk_pop_free_ptr

- +#define sk_push OPENSSL_sk_push_ptr

- +#define sk_value OPENSSL_sk_value_ptr

- +#define SSL_CIPHER_get_bits SSL_CIPHER_get_bits_ptr

-  #define SSL_CIPHER_description SSL_CIPHER_description_ptr

-  #define SSL_ctrl SSL_ctrl_ptr

-  #define SSL_set_quiet_shutdown SSL_set_quiet_shutdown_ptr

- @@ -579,7 +756,9 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define SSL_CTX_set_cert_verify_callback SSL_CTX_set_cert_verify_callback_ptr

-  #define SSL_CTX_set_cipher_list SSL_CTX_set_cipher_list_ptr

-  #define SSL_CTX_set_client_cert_cb SSL_CTX_set_client_cert_cb_ptr

- +#define SSL_CTX_set_options SSL_CTX_set_options_ptr

-  #define SSL_CTX_set_quiet_shutdown SSL_CTX_set_quiet_shutdown_ptr

- +#define SSL_CTX_set_security_level SSL_CTX_set_security_level_ptr

-  #define SSL_CTX_set_verify SSL_CTX_set_verify_ptr

-  #define SSL_CTX_use_certificate SSL_CTX_use_certificate_ptr

-  #define SSL_CTX_use_PrivateKey SSL_CTX_use_PrivateKey_ptr

- @@ -595,25 +774,26 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define SSL_get_SSL_CTX SSL_get_SSL_CTX_ptr

-  #define SSL_get_version SSL_get_version_ptr

-  #define SSL_get0_alpn_selected SSL_get0_alpn_selected_ptr

- +#define SSL_is_init_finished SSL_is_init_finished_ptr

-  #define SSL_library_init SSL_library_init_ptr

-  #define SSL_load_error_strings SSL_load_error_strings_ptr

-  #define SSL_new SSL_new_ptr

-  #define SSL_read SSL_read_ptr

-  #define SSL_renegotiate_pending SSL_renegotiate_pending_ptr

- +#define SSL_session_reused SSL_session_reused_ptr

-  #define SSL_set_accept_state SSL_set_accept_state_ptr

-  #define SSL_set_bio SSL_set_bio_ptr

-  #define SSL_set_connect_state SSL_set_connect_state_ptr

-  #define SSL_shutdown SSL_shutdown_ptr

-  #define SSL_state SSL_state_ptr

-  #define SSLeay_version SSLeay_version_ptr

- -#define SSLv23_method SSLv23_method_ptr

- +#define SSLeay SSLeay_ptr

-  #define SSL_write SSL_write_ptr

- -#define TLSv1_1_method TLSv1_1_method_ptr

- -#define TLSv1_2_method TLSv1_2_method_ptr

- -#define TLSv1_method TLSv1_method_ptr

- +#define TLS_method TLS_method_ptr

-  #define X509_check_issued X509_check_issued_ptr

-  #define X509_check_purpose X509_check_purpose_ptr

-  #define X509_CRL_free X509_CRL_free_ptr

- +#define X509_CRL_get0_nextUpdate X509_CRL_get0_nextUpdate_ptr

-  #define X509_digest X509_digest_ptr

-  #define X509_dup X509_dup_ptr

-  #define X509_EXTENSION_create_by_OBJ X509_EXTENSION_create_by_OBJ_ptr

- @@ -622,6 +802,10 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define X509_EXTENSION_get_data X509_EXTENSION_get_data_ptr

-  #define X509_EXTENSION_get_object X509_EXTENSION_get_object_ptr

-  #define X509_free X509_free_ptr

- +#define X509_get0_notAfter X509_get0_notAfter_ptr

- +#define X509_get0_notBefore X509_get0_notBefore_ptr

- +#define X509_get0_pubkey_bitstr X509_get0_pubkey_bitstr_ptr

- +#define X509_get0_tbs_sigalg X509_get0_tbs_sigalg_ptr

-  #define X509_get_default_cert_dir X509_get_default_cert_dir_ptr

-  #define X509_get_default_cert_dir_env X509_get_default_cert_dir_env_ptr

-  #define X509_get_default_cert_file X509_get_default_cert_file_ptr

- @@ -632,18 +816,24 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define X509_get_issuer_name X509_get_issuer_name_ptr

-  #define X509_get_serialNumber X509_get_serialNumber_ptr

-  #define X509_get_subject_name X509_get_subject_name_ptr

- +#define X509_get_X509_PUBKEY X509_get_X509_PUBKEY_ptr

- +#define X509_get_version X509_get_version_ptr

-  #define X509_issuer_name_hash X509_issuer_name_hash_ptr

-  #define X509_NAME_entry_count X509_NAME_entry_count_ptr

-  #define X509_NAME_ENTRY_get_data X509_NAME_ENTRY_get_data_ptr

-  #define X509_NAME_ENTRY_get_object X509_NAME_ENTRY_get_object_ptr

-  #define X509_NAME_free X509_NAME_free_ptr

- +#define X509_NAME_get0_der X509_NAME_get0_der_ptr

-  #define X509_NAME_get_entry X509_NAME_get_entry_ptr

-  #define X509_NAME_get_index_by_NID X509_NAME_get_index_by_NID_ptr

- +#define X509_PUBKEY_get0_param X509_PUBKEY_get0_param_ptr

-  #define X509_PUBKEY_get X509_PUBKEY_get_ptr

-  #define X509_STORE_add_cert X509_STORE_add_cert_ptr

-  #define X509_STORE_add_crl X509_STORE_add_crl_ptr

-  #define X509_STORE_CTX_free X509_STORE_CTX_free_ptr

- +#define X509_STORE_CTX_get0_cert X509_STORE_CTX_get0_cert_ptr

-  #define X509_STORE_CTX_get0_param X509_STORE_CTX_get0_param_ptr

- +#define X509_STORE_CTX_get0_untrusted X509_STORE_CTX_get0_untrusted_ptr

-  #define X509_STORE_CTX_get1_chain X509_STORE_CTX_get1_chain_ptr

-  #define X509_STORE_CTX_get_error X509_STORE_CTX_get_error_ptr

-  #define X509_STORE_CTX_get_error_depth X509_STORE_CTX_get_error_depth_ptr

- @@ -655,6 +845,7 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define X509_STORE_new X509_STORE_new_ptr

-  #define X509_STORE_set_flags X509_STORE_set_flags_ptr

-  #define X509V3_EXT_print X509V3_EXT_print_ptr

- +#define X509_up_ref X509_up_ref_ptr

-  #define X509_verify_cert X509_verify_cert_ptr

-  #define X509_verify_cert_error_string X509_verify_cert_error_string_ptr

-  #define X509_VERIFY_PARAM_set_time X509_VERIFY_PARAM_set_time_ptr

- @@ -664,8 +855,99 @@ FOR_ALL_OPENSSL_FUNCTIONS

-  #define EC_POINT_get_affine_coordinates_GF2m EC_POINT_get_affine_coordinates_GF2m_ptr

-  #define EC_POINT_set_affine_coordinates_GF2m EC_POINT_set_affine_coordinates_GF2m_ptr

-  

- +

- +// STACK_OF types will have been declared with inline functions to handle the pointer casting.

- +// Since these inline functions are strongly bound to the OPENSSL_sk_* functions in 1.1 we need to

- +// rebind things here.

- +#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_1_1_0_RTM

- +// type-safe OPENSSL_sk_free

- +#define sk_GENERAL_NAME_free(stack) OPENSSL_sk_free((OPENSSL_STACK*)(1 ? stack : (STACK_OF(GENERAL_NAME)*)0))

- +

- +// type-safe OPENSSL_sk_num

- +#define sk_ASN1_OBJECT_num(stack) OPENSSL_sk_num((const OPENSSL_STACK*)(1 ? stack : (const STACK_OF(ASN1_OBJECT)*)0))

- +#define sk_GENERAL_NAME_num(stack) OPENSSL_sk_num((const OPENSSL_STACK*)(1 ? stack : (const STACK_OF(GENERAL_NAME)*)0))

- +#define sk_X509_NAME_num(stack) OPENSSL_sk_num((const OPENSSL_STACK*)(1 ? stack : (const STACK_OF(X509_NAME)*)0))

- +#define sk_X509_num(stack) OPENSSL_sk_num((const OPENSSL_STACK*)(1 ? stack : (const STACK_OF(X509)*)0))

- +

- +// type-safe OPENSSL_sk_new_null

- +#define sk_X509_new_null() (STACK_OF(X509)*)OPENSSL_sk_new_null()

- +#define sk_X509_NAME_new_null() (STACK_OF(X509_NAME)*)OPENSSL_sk_new_null()

- +

- +// type-safe OPENSSL_sk_push

- +#define sk_X509_push(stack,value) OPENSSL_sk_push((OPENSSL_STACK*)(1 ? stack : (STACK_OF(X509)*)0), (const void*)(1 ? value : (X509*)0))

- +#define sk_X509_NAME_push(stack,value) OPENSSL_sk_push((OPENSSL_STACK*)(1 ? stack : (STACK_OF(X509_NAME)*)0), (const void*)(1 ? value : (X509_NAME*)0))

- +

- +// type-safe OPENSSL_sk_pop_free

- +#define sk_X509_pop_free(stack, freefunc) OPENSSL_sk_pop_free((OPENSSL_STACK*)(1 ? stack : (STACK_OF(X509)*)0), (OPENSSL_sk_freefunc)(1 ? freefunc : (sk_X509_freefunc)0))

- +#define sk_X509_NAME_pop_free(stack, freefunc) OPENSSL_sk_pop_free((OPENSSL_STACK*)(1 ? stack : (STACK_OF(X509_NAME)*)0), (OPENSSL_sk_freefunc)(1 ? freefunc : (sk_X509_NAME_freefunc)0))

- +

- +// type-safe OPENSSL_sk_value

- +#define sk_ASN1_OBJECT_value(stack, idx) (ASN1_OBJECT*)OPENSSL_sk_value((const OPENSSL_STACK*)(1 ? stack : (const STACK_OF(ASN1_OBJECT)*)0), idx)

- +#define sk_GENERAL_NAME_value(stack, idx) (GENERAL_NAME*)OPENSSL_sk_value((const OPENSSL_STACK*)(1 ? stack : (const STACK_OF(GENERAL_NAME)*)0), idx)

- +#define sk_X509_NAME_value(stack, idx) (X509_NAME*)OPENSSL_sk_value((const OPENSSL_STACK*)(1 ? stack : (const STACK_OF(X509_NAME)*)0), idx)

- +#define sk_X509_value(stack, idx) (X509*)OPENSSL_sk_value((const OPENSSL_STACK*)(1 ? stack : (const STACK_OF(X509)*)0), idx)

- +#endif

- +

- +

-  #else // FEATURE_DISTRO_AGNOSTIC_SSL

-  

-  #define API_EXISTS(fn) true

-  

- +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM

- +

- +#define NEED_OPENSSL_1_0 true

- +

- +// Alias "future" API to the local_ version.

- +#define DSA_get0_key local_DSA_get0_key

- +#define DSA_get0_pqg local_DSA_get0_pqg

- +#define DSA_get_method local_DSA_get_method

- +#define DSA_set0_key local_DSA_set0_key

- +#define DSA_set0_pqg local_DSA_set0_pqg

- +#define EVP_CIPHER_CTX_free local_EVP_CIPHER_CTX_free

- +#define EVP_CIPHER_CTX_new local_EVP_CIPHER_CTX_new

- +#define EVP_CIPHER_CTX_reset local_EVP_CIPHER_CTX_reset

- +#define EVP_PKEY_up_ref local_EVP_PKEY_up_ref

- +#define HMAC_CTX_free local_HMAC_CTX_free

- +#define HMAC_CTX_new local_HMAC_CTX_new

- +#define OpenSSL_version local_OpenSSL_version

- +#define RSA_get0_crt_params local_RSA_get0_crt_params

- +#define RSA_get0_factors local_RSA_get0_factors

- +#define RSA_get0_key local_RSA_get0_key

- +#define RSA_meth_get_flags local_RSA_meth_get_flags

- +#define RSA_set0_crt_params local_RSA_set0_crt_params

- +#define RSA_set0_factors local_RSA_set0_factors

- +#define RSA_set0_key local_RSA_set0_key

- +#define SSL_CTX_set_security_level local_SSL_CTX_set_security_level

- +#define SSL_is_init_finished local_SSL_is_init_finished

- +#define X509_CRL_get0_nextUpdate local_X509_CRL_get0_nextUpdate

- +#define X509_NAME_get0_der local_X509_NAME_get0_der

- +#define X509_PUBKEY_get0_param local_X509_PUBKEY_get0_param

- +#define X509_STORE_CTX_get0_cert local_X509_STORE_CTX_get0_cert

- +#define X509_STORE_CTX_get0_untrusted local_X509_STORE_CTX_get0_untrusted

- +#define X509_get0_notAfter local_X509_get0_notAfter

- +#define X509_get0_notBefore local_X509_get0_notBefore

- +#define X509_get0_pubkey_bitstr local_X509_get0_pubkey_bitstr

- +#define X509_get0_tbs_sigalg local_X509_get0_tbs_sigalg

- +#define X509_get_X509_PUBKEY local_X509_get_X509_PUBKEY

- +#define X509_get_version local_X509_get_version

- +#define X509_up_ref local_X509_up_ref

- +

- +// Restore the old names for RENAMED_FUNCTION functions.

- +#define EVP_MD_CTX_free EVP_MD_CTX_destroy

- +#define EVP_MD_CTX_new EVP_MD_CTX_create

- +#define OPENSSL_sk_free sk_free

- +#define OPENSSL_sk_new_null sk_new_null

- +#define OPENSSL_sk_num sk_num

- +#define OPENSSL_sk_pop_free sk_pop_free

- +#define OPENSSL_sk_push sk_push

- +#define OPENSSL_sk_value sk_value

- +#define TLS_method SSLv23_method

- +#define OpenSSL_version_num SSLeay

- +

- +#else // if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM

- +

- +#define NEED_OPENSSL_1_1 true

- +

- +#endif

- +

-  #endif // FEATURE_DISTRO_AGNOSTIC_SSL

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1.cpp

- index 5429592e57..006881aa33 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1.cpp

- @@ -42,7 +42,7 @@ extern "C" int32_t CryptoNative_ObjSn2Nid(const char* sn)

-      return OBJ_sn2nid(sn);

-  }

-  

- -extern "C" ASN1_OBJECT* CryptoNative_ObjNid2Obj(int32_t nid)

- +extern "C" const ASN1_OBJECT* CryptoNative_ObjNid2Obj(int32_t nid)

-  {

-      return OBJ_nid2obj(nid);

-  }

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1.h b/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1.h

- index 6ec1795d25..6f9445aa9f 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1.h

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1.h

- @@ -42,7 +42,7 @@ extern "C" int32_t CryptoNative_ObjSn2Nid(const char* sn);

-  /*

-  Direct shim to OBJ_nid2obj.

-  */

- -extern "C" ASN1_OBJECT* CryptoNative_ObjNid2Obj(int32_t nid);

- +extern "C" const ASN1_OBJECT* CryptoNative_ObjNid2Obj(int32_t nid);

-  

-  /*

-  Direct shim to ASN1_OBJECT_free.

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.cpp

- index 01a544f5e9..328b5e5935 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_asn1_print.cpp

- @@ -31,12 +31,19 @@ static_assert(PAL_ASN1_STRFLGS_UTF8_CONVERT == ASN1_STRFLGS_UTF8_CONVERT, "");

-  

-  extern "C" ASN1_STRING* CryptoNative_DecodeAsn1TypeBytes(const uint8_t* buf, int32_t len, Asn1StringTypeFlags type)

-  {

- -    if (!buf || !len)

- +#if NEED_OPENSSL_1_0

- +    if (!API_EXISTS(d2i_ASN1_type_bytes) || !buf || !len)

-      {

-          return nullptr;

-      }

-  

-      return d2i_ASN1_type_bytes(nullptr, &buf, len, type);

- +#else

- +    (void)buf;

- +    (void)len;

- +    (void)type;

- +    return nullptr;

- +#endif

-  }

-  

-  extern "C" int32_t CryptoNative_Asn1StringPrintEx(BIO* out, ASN1_STRING* str, Asn1StringPrintFlags flags)

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_crypto_config.h.in b/src/Native/Unix/System.Security.Cryptography.Native/pal_crypto_config.h.in

- index 6aea13f2c6..1aa48ba9d7 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_crypto_config.h.in

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_crypto_config.h.in

- @@ -1,6 +1,4 @@

-  #pragma once

-  

- -#cmakedefine01 HAVE_TLS_V1_1

- -#cmakedefine01 HAVE_TLS_V1_2

-  #cmakedefine01 HAVE_OPENSSL_EC2M

-  #cmakedefine01 HAVE_OPENSSL_ALPN

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_dsa.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_dsa.cpp

- index af9ce59d64..74d76a89d7 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_dsa.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_dsa.cpp

- @@ -45,12 +45,34 @@ extern "C" int32_t CryptoNative_DsaSizeSignature(DSA* dsa)

-  

-  extern "C" int32_t CryptoNative_DsaSizeP(DSA* dsa)

-  {

- -    return BN_num_bytes(dsa->p);

- +    if (dsa)

- +    {

- +        const BIGNUM* p;

- +        DSA_get0_pqg(dsa, &p, nullptr, nullptr);

- +

- +        if (p)

- +        {

- +            return BN_num_bytes(p);

- +        }

- +    }

- +

- +    return -1;

-  }

-  

-  extern "C" int32_t CryptoNative_DsaSizeQ(DSA* dsa)

-  {

- -    return BN_num_bytes(dsa->q);

- +    if (dsa)

- +    {

- +        const BIGNUM* q;

- +        DSA_get0_pqg(dsa, nullptr, &q, nullptr);

- +

- +        if (q)

- +        {

- +            return BN_num_bytes(q);

- +        }

- +    }

- +

- +    return -1;

-  }

-  

-  extern "C" int32_t CryptoNative_DsaSign(

- @@ -67,11 +89,18 @@ extern "C" int32_t CryptoNative_DsaSign(

-      }

-  

-      // DSA_OpenSSL() returns a shared pointer, no need to free/cache.

- -    if (dsa->meth == DSA_OpenSSL() && dsa->priv_key == nullptr)

- +    if (DSA_get_method(dsa) == DSA_OpenSSL())

-      {

- -        *outSignatureLength = 0;

- -        ERR_PUT_error(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, DSA_R_MISSING_PARAMETERS, __FILE__, __LINE__);

- -        return 0;

- +        const BIGNUM* privKey;

- +

- +        DSA_get0_key(dsa, nullptr, &privKey);

- +

- +        if (!privKey)

- +        {

- +            *outSignatureLength = 0;

- +            ERR_PUT_error(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, DSA_R_MISSING_PARAMETERS, __FILE__, __LINE__);

- +            return 0;

- +        }

-      }

-  

-      unsigned int unsignedSigLen = 0;

- @@ -111,11 +140,11 @@ extern "C" int32_t CryptoNative_DsaVerify(

-  

-  extern "C" int32_t CryptoNative_GetDsaParameters(

-      const DSA* dsa,

- -    BIGNUM** p, int32_t* pLength,

- -    BIGNUM** q, int32_t* qLength,

- -    BIGNUM** g, int32_t* gLength,

- -    BIGNUM** y, int32_t* yLength,

- -    BIGNUM** x, int32_t* xLength)

- +    const BIGNUM** p, int32_t* pLength,

- +    const BIGNUM** q, int32_t* qLength,

- +    const BIGNUM** g, int32_t* gLength,

- +    const BIGNUM** y, int32_t* yLength,

- +    const BIGNUM** x, int32_t* xLength)

-  {

-      if (!dsa || !p || !q || !g || !y || !x)

-      {

- @@ -129,39 +158,28 @@ extern "C" int32_t CryptoNative_GetDsaParameters(

-          if (x) *x = nullptr; if (xLength) *xLength = 0;

-          return 0;

-      }

- -    

- -    *p = dsa->p; *pLength = BN_num_bytes(*p);

- -    *q = dsa->q; *qLength = BN_num_bytes(*q);

- -    *g = dsa->g; *gLength = BN_num_bytes(*g);

- -    *y = dsa->pub_key; *yLength = BN_num_bytes(*y);

- -

- -    // dsa->priv_key is optional

- -    *x = dsa->priv_key;

- +

- +    DSA_get0_pqg(dsa, p, q, g);

- +    *pLength = BN_num_bytes(*p);

- +    *qLength = BN_num_bytes(*q);

- +    *gLength = BN_num_bytes(*g);

- +

- +    DSA_get0_key(dsa, y, x);

- +    *yLength = BN_num_bytes(*y);

- +    // x (the private key) is optional

-      *xLength = (*x == nullptr) ? 0 : BN_num_bytes(*x);

-  

-      return 1;

-  }

-  

- -static int32_t SetDsaParameter(BIGNUM** dsaFieldAddress, uint8_t* buffer, int32_t bufferLength)

- +static BIGNUM* MakeBignum(uint8_t* buffer, int32_t bufferLength)

-  {

- -    assert(dsaFieldAddress != nullptr);

- -    if (dsaFieldAddress)

- +    if (buffer && bufferLength)

-      {

- -        if (!buffer || !bufferLength)

- -        {

- -            *dsaFieldAddress = nullptr;

- -            return 1;

- -        }

- -        else

- -        {

- -            BIGNUM* bigNum = BN_bin2bn(buffer, bufferLength, nullptr);

- -            *dsaFieldAddress = bigNum;

- -

- -            return bigNum != nullptr;

- -        }

- +        return BN_bin2bn(buffer, bufferLength, nullptr);

-      }

-  

- -    return 0;

- +    return nullptr;

-  }

-  

-  extern "C" int32_t CryptoNative_DsaKeyCreateByExplicitParameters(

- @@ -191,10 +209,33 @@ extern "C" int32_t CryptoNative_DsaKeyCreateByExplicitParameters(

-  

-      DSA* dsa = *outDsa;

-  

- -    return

- -        SetDsaParameter(&dsa->p, p, pLength) &&

- -        SetDsaParameter(&dsa->q, q, qLength) &&

- -        SetDsaParameter(&dsa->g, g, gLength) &&

- -        SetDsaParameter(&dsa->pub_key, y, yLength) &&

- -        SetDsaParameter(&dsa->priv_key, x, xLength);

- +    BIGNUM* bnP = MakeBignum(p, pLength);

- +    BIGNUM* bnQ = MakeBignum(q, qLength);

- +    BIGNUM* bnG = MakeBignum(g, gLength);

- +

- +    if (!DSA_set0_pqg(dsa, bnP, bnQ, bnG))

- +    {

- +        // BN_free handles NULL input

- +        BN_free(bnP);

- +        BN_free(bnQ);

- +        BN_free(bnG);

- +        return 0;

- +    }

- +

- +    // Control was transferred, do not free.

- +    bnP = nullptr;

- +    bnQ = nullptr;

- +    bnG = nullptr;

- +

- +    BIGNUM* bnY = MakeBignum(y, yLength);

- +    BIGNUM* bnX = MakeBignum(x, xLength);

- +

- +    if (!DSA_set0_key(dsa, bnY, bnX))

- +    {

- +        BN_free(bnY);

- +        BN_free(bnX);

- +        return 0;

- +    }

- +

- +    return 1;

-  }

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_dsa.h b/src/Native/Unix/System.Security.Cryptography.Native/pal_dsa.h

- index ede7065992..0236741ffa 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_dsa.h

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_dsa.h

- @@ -87,11 +87,11 @@ Returns 1 upon success, otherwise 0.

-  */

-  extern "C" int32_t CryptoNative_GetDsaParameters(

-      const DSA* dsa,

- -    BIGNUM** p, int32_t* pLength,

- -    BIGNUM** q, int32_t* qLength,

- -    BIGNUM** g, int32_t* gLength,

- -    BIGNUM** y, int32_t* yLength,

- -    BIGNUM** x, int32_t* xLength);

- +    const BIGNUM** p, int32_t* pLength,

- +    const BIGNUM** q, int32_t* qLength,

- +    const BIGNUM** g, int32_t* gLength,

- +    const BIGNUM** y, int32_t* yLength,

- +    const BIGNUM** x, int32_t* xLength);

-  

-  /*

-  Sets all the parameters on the DSA instance.

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp.cpp

- index 1fbadce9af..d3157ead17 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp.cpp

- @@ -10,7 +10,7 @@

-  

-  extern "C" EVP_MD_CTX* CryptoNative_EvpMdCtxCreate(const EVP_MD* type)

-  {

- -    EVP_MD_CTX* ctx = EVP_MD_CTX_create();

- +    EVP_MD_CTX* ctx = EVP_MD_CTX_new();

-      if (ctx == nullptr)

-      {

-          // Allocation failed

- @@ -20,7 +20,7 @@ extern "C" EVP_MD_CTX* CryptoNative_EvpMdCtxCreate(const EVP_MD* type)

-      int ret = EVP_DigestInit_ex(ctx, type, nullptr);

-      if (!ret)

-      {

- -        EVP_MD_CTX_destroy(ctx);

- +        EVP_MD_CTX_free(ctx);

-          return nullptr;

-      }

-  

- @@ -31,7 +31,7 @@ extern "C" void CryptoNative_EvpMdCtxDestroy(EVP_MD_CTX* ctx)

-  {

-      if (ctx != nullptr)

-      {

- -        EVP_MD_CTX_destroy(ctx);

- +        EVP_MD_CTX_free(ctx);

-      }

-  }

-  

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_cipher.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_cipher.cpp

- index 1f2e80e114..1dc218cac3 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_cipher.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_cipher.cpp

- @@ -5,7 +5,6 @@

-  #include "pal_evp_cipher.h"

-  

-  #include <assert.h>

- -#include <memory>

-  

-  #define SUCCESS 1

-  #define KEEP_CURRENT_DIRECTION -1

- @@ -19,28 +18,34 @@ CryptoNative_EvpCipherCreate(const EVP_CIPHER* type, uint8_t* key, unsigned char

-  extern "C" EVP_CIPHER_CTX*

-  CryptoNative_EvpCipherCreate2(const EVP_CIPHER* type, uint8_t* key, int32_t keyLength, int32_t effectiveKeyLength, unsigned char* iv, int32_t enc)

-  {

- -    std::unique_ptr<EVP_CIPHER_CTX> ctx(new (std::nothrow) EVP_CIPHER_CTX);

- +    EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();

-      if (ctx == nullptr)

-      {

-          // Allocation failed

-          return nullptr;

-      }

-  

- -    EVP_CIPHER_CTX_init(ctx.get());

- +    if (!EVP_CIPHER_CTX_reset(ctx))

- +    {

- +        EVP_CIPHER_CTX_free(ctx);

- +        return nullptr;

- +    }

-  

-      // Perform partial initialization so we can set the key lengths

- -    int ret = EVP_CipherInit_ex(ctx.get(), type, nullptr, nullptr, nullptr, 0);

- +    int ret = EVP_CipherInit_ex(ctx, type, nullptr, nullptr, nullptr, 0);

-      if (!ret)

-      {

- +        EVP_CIPHER_CTX_free(ctx);

-          return nullptr;

-      }

-  

-      if (keyLength > 0)

-      {

-          // Necessary when the default key size is different than current

- -        ret = EVP_CIPHER_CTX_set_key_length(ctx.get(), keyLength / 8);

- +        ret = EVP_CIPHER_CTX_set_key_length(ctx, keyLength / 8);

-          if (!ret)

-          {

- +            EVP_CIPHER_CTX_free(ctx);

-              return nullptr;

-          }

-      }

- @@ -48,29 +53,30 @@ CryptoNative_EvpCipherCreate2(const EVP_CIPHER* type, uint8_t* key, int32_t keyL

-      if (effectiveKeyLength > 0)

-      {

-          // Necessary for RC2

- -        ret = EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_SET_RC2_KEY_BITS, effectiveKeyLength, nullptr);

- +        ret = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, effectiveKeyLength, nullptr);

-          if (ret <= 0)

-          {

- +            EVP_CIPHER_CTX_free(ctx);

-              return nullptr;

-          }

-      }

-  

-      // Perform final initialization specifying the remaining arguments

- -    ret = EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, key, iv, enc);

- +    ret = EVP_CipherInit_ex(ctx, nullptr, nullptr, key, iv, enc);

-      if (!ret)

-      {

- +        EVP_CIPHER_CTX_free(ctx);

-          return nullptr;

-      }

-  

- -    return ctx.release();

- +    return ctx;

-  }

-  

-  extern "C" void CryptoNative_EvpCipherDestroy(EVP_CIPHER_CTX* ctx)

-  {

-      if (ctx != nullptr)

-      {

- -        EVP_CIPHER_CTX_cleanup(ctx);

- -        delete ctx;

- +        EVP_CIPHER_CTX_free(ctx);

-      }

-  }

-  

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.cpp

- index 384030740e..f27e93325f 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey.cpp

- @@ -24,5 +24,5 @@ extern "C" int32_t CryptoNative_UpRefEvpPkey(EVP_PKEY* pkey)

-          return 0;

-      }

-  

- -    return CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);

- +    return EVP_PKEY_up_ref(pkey);

-  }

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.cpp

- index 10eef6809c..539dc07683 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.cpp

- @@ -7,7 +7,6 @@

-  #include "pal_hmac.h"

-  

-  #include <assert.h>

- -#include <memory>

-  

-  extern "C" HMAC_CTX* CryptoNative_HmacCreate(const uint8_t* key, int32_t keyLen, const EVP_MD* md)

-  {

- @@ -15,7 +14,7 @@ extern "C" HMAC_CTX* CryptoNative_HmacCreate(const uint8_t* key, int32_t keyLen,

-      assert(keyLen >= 0);

-      assert(md != nullptr);

-  

- -    std::unique_ptr<HMAC_CTX> ctx(new (std::nothrow) HMAC_CTX);

- +    HMAC_CTX* ctx = HMAC_CTX_new();

-      if (ctx == nullptr)

-      {

-          // Allocation failed

- @@ -28,23 +27,22 @@ extern "C" HMAC_CTX* CryptoNative_HmacCreate(const uint8_t* key, int32_t keyLen,

-      if (keyLen == 0)

-          key = &_;

-  

- -    HMAC_CTX_init(ctx.get());

- -    int ret = HMAC_Init_ex(ctx.get(), key, keyLen, md, nullptr);

- +    int ret = HMAC_Init_ex(ctx, key, keyLen, md, nullptr);

-  

-      if (!ret)

-      {

- +        free(ctx);

-          return nullptr;

-      }

-  

- -    return ctx.release();

- +    return ctx;

-  }

-  

-  extern "C" void CryptoNative_HmacDestroy(HMAC_CTX* ctx)

-  {

-      if (ctx != nullptr)

-      {

- -        HMAC_CTX_cleanup(ctx);

- -        delete ctx;

- +        HMAC_CTX_free(ctx);

-      }

-  }

-  

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.h b/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.h

- index 131e148c00..570d28e70c 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.h

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.h

- @@ -12,7 +12,6 @@

-  

-  // Forward declarations - shim API must not depend on knowing layout of these types.

-  typedef struct hmac_ctx_st HMAC_CTX;

- -typedef struct env_md_st EVP_MD;

-  

-  /**

-   * Creates and initializes an HMAC_CTX with the given key and EVP_MD.

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.cpp

- index 9ad896aa72..7fa6585c99 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.cpp

- @@ -58,8 +58,13 @@ static int HasNoPrivateKey(RSA* rsa)

-  

-      // The method has descibed itself as having the private key external to the structure.

-      // That doesn't mean it's actually present, but we can't tell.

- -    if (meth->flags & RSA_FLAG_EXT_PKEY)

- +#pragma clang diagnostic push

- +#pragma clang diagnostic ignored "-Wcast-qual"

- +    if (RSA_meth_get_flags((RSA_METHOD*)meth) & RSA_FLAG_EXT_PKEY)

- +#pragma clang diagnostic pop

- +    {

-          return 0;

- +    }

-  

-      // In the event that there's a middle-ground where we report failure when success is expected,

-      // one could do something like check if the RSA_METHOD intercepts all private key operations:

- @@ -72,11 +77,27 @@ static int HasNoPrivateKey(RSA* rsa)

-  

-      // The module is documented as accepting either d or the full set of CRT parameters (p, q, dp, dq, qInv)

-      // So if we see d, we're good. Otherwise, if any of the rest are missing, we're public-only.

- -    if (rsa->d != nullptr)

- +    const BIGNUM* d;

- +    RSA_get0_key(rsa, nullptr, nullptr, &d);

- +

- +    if (d != nullptr)

- +    {

-          return 0;

- +    }

- +

- +    const BIGNUM* p;

- +    const BIGNUM* q;

- +    const BIGNUM* dmp1;

- +    const BIGNUM* dmq1;

- +    const BIGNUM* iqmp;

-  

- -    if (rsa->p == nullptr || rsa->q == nullptr || rsa->dmp1 == nullptr || rsa->dmq1 == nullptr || rsa->iqmp == nullptr)

- +    RSA_get0_factors(rsa, &p, &q);

- +    RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);

- +

- +    if (p == nullptr || q == nullptr || dmp1 == nullptr || dmq1 == nullptr || iqmp == nullptr)

- +    {

-          return 1;

- +    }

-  

-      return 0;

-  }

- @@ -93,7 +114,7 @@ CryptoNative_RsaPrivateDecrypt(int32_t flen, const uint8_t* from, uint8_t* to, R

-  {

-      if (HasNoPrivateKey(rsa))

-      {

- -        ERR_PUT_error(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_VALUE_MISSING, __FILE__, __LINE__);

- +        ERR_PUT_error(ERR_LIB_RSA, RSA_F_RSA_NULL_PRIVATE_DECRYPT, RSA_R_VALUE_MISSING, __FILE__, __LINE__);

-          return -1;

-      }

-  

- @@ -105,7 +126,7 @@ extern "C" int32_t CryptoNative_RsaSignPrimitive(int32_t flen, const uint8_t* fr

-  {

-      if (HasNoPrivateKey(rsa))

-      {

- -        ERR_PUT_error(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_VALUE_MISSING, __FILE__, __LINE__);

- +        ERR_PUT_error(ERR_LIB_RSA, RSA_F_RSA_NULL_PRIVATE_ENCRYPT, RSA_R_VALUE_MISSING, __FILE__, __LINE__);

-          return -1;

-      }

-  

- @@ -169,14 +190,14 @@ CryptoNative_RsaVerify(int32_t type, const uint8_t* m, int32_t mlen, uint8_t* si

-  }

-  

-  extern "C" int32_t CryptoNative_GetRsaParameters(const RSA* rsa,

- -                                                 BIGNUM** n,

- -                                                 BIGNUM** e,

- -                                                 BIGNUM** d,

- -                                                 BIGNUM** p,

- -                                                 BIGNUM** dmp1,

- -                                                 BIGNUM** q,

- -                                                 BIGNUM** dmq1,

- -                                                 BIGNUM** iqmp)

- +                                                 const BIGNUM** n,

- +                                                 const BIGNUM** e,

- +                                                 const BIGNUM** d,

- +                                                 const BIGNUM** p,

- +                                                 const BIGNUM** dmp1,

- +                                                 const BIGNUM** q,

- +                                                 const BIGNUM** dmq1,

- +                                                 const BIGNUM** iqmp)

-  {

-      if (!rsa || !n || !e || !d || !p || !dmp1 || !q || !dmq1 || !iqmp)

-      {

- @@ -203,57 +224,40 @@ extern "C" int32_t CryptoNative_GetRsaParameters(const RSA* rsa,

-          return 0;

-      }

-  

- -    *n = rsa->n;

- -    *e = rsa->e;

- -    *d = rsa->d;

- -    *p = rsa->p;

- -    *dmp1 = rsa->dmp1;

- -    *q = rsa->q;

- -    *dmq1 = rsa->dmq1;

- -    *iqmp = rsa->iqmp;

- +    RSA_get0_key(rsa, n, e, d);

- +    RSA_get0_factors(rsa, p, q);

- +    RSA_get0_crt_params(rsa, dmp1, dmq1, iqmp);

-  

-      return 1;

-  }

-  

- -static int32_t SetRsaParameter(BIGNUM** rsaFieldAddress, uint8_t* buffer, int32_t bufferLength)

- +static BIGNUM* MakeBignum(uint8_t* buffer, int32_t bufferLength)

-  {

- -    assert(rsaFieldAddress != nullptr);

- -    if (rsaFieldAddress)

- +    if (buffer && bufferLength)

-      {

- -        if (!buffer || !bufferLength)

- -        {

- -            *rsaFieldAddress = nullptr;

- -            return 1;

- -        }

- -        else

- -        {

- -            BIGNUM* bigNum = BN_bin2bn(buffer, bufferLength, nullptr);

- -            *rsaFieldAddress = bigNum;

- -

- -            return bigNum != nullptr;

- -        }

- +        return BN_bin2bn(buffer, bufferLength, nullptr);

-      }

-  

- -    return 0;

- +    return nullptr;

-  }

-  

-  extern "C" int32_t CryptoNative_SetRsaParameters(RSA* rsa,

- -                                              uint8_t* n,

- -                                              int32_t nLength,

- -                                              uint8_t* e,

- -                                              int32_t eLength,

- -                                              uint8_t* d,

- -                                              int32_t dLength,

- -                                              uint8_t* p,

- -                                              int32_t pLength,

- -                                              uint8_t* dmp1,

- -                                              int32_t dmp1Length,

- -                                              uint8_t* q,

- -                                              int32_t qLength,

- -                                              uint8_t* dmq1,

- -                                              int32_t dmq1Length,

- -                                              uint8_t* iqmp,

- -                                              int32_t iqmpLength)

- +                                                 uint8_t* n,

- +                                                 int32_t nLength,

- +                                                 uint8_t* e,

- +                                                 int32_t eLength,

- +                                                 uint8_t* d,

- +                                                 int32_t dLength,

- +                                                 uint8_t* p,

- +                                                 int32_t pLength,

- +                                                 uint8_t* dmp1,

- +                                                 int32_t dmp1Length,

- +                                                 uint8_t* q,

- +                                                 int32_t qLength,

- +                                                 uint8_t* dmq1,

- +                                                 int32_t dmq1Length,

- +                                                 uint8_t* iqmp,

- +                                                 int32_t iqmpLength)

-  {

-      if (!rsa)

-      {

- @@ -261,13 +265,43 @@ extern "C" int32_t CryptoNative_SetRsaParameters(RSA* rsa,

-          return 0;

-      }

-  

- -    return 

- -        SetRsaParameter(&rsa->n, n, nLength) &&

- -        SetRsaParameter(&rsa->e, e, eLength) &&

- -        SetRsaParameter(&rsa->d, d, dLength) &&

- -        SetRsaParameter(&rsa->p, p, pLength) &&

- -        SetRsaParameter(&rsa->dmp1, dmp1, dmp1Length) &&

- -        SetRsaParameter(&rsa->q, q, qLength) &&

- -        SetRsaParameter(&rsa->dmq1, dmq1, dmq1Length) &&

- -        SetRsaParameter(&rsa->iqmp, iqmp, iqmpLength);

- +    BIGNUM* bnN = MakeBignum(n, nLength);

- +    BIGNUM* bnE = MakeBignum(e, eLength);

- +    BIGNUM* bnD = MakeBignum(d, dLength);

- +

- +    if (!RSA_set0_key(rsa, bnN, bnE, bnD))

- +    {

- +        // BN_free handles NULL input

- +        BN_free(bnN);

- +        BN_free(bnE);

- +        BN_free(bnD);

- +        return 0;

- +    }

- +

- +    if (bnD != nullptr)

- +    {

- +        BIGNUM* bnP = MakeBignum(p, pLength);

- +        BIGNUM* bnQ = MakeBignum(q, qLength);

- +

- +        if (!RSA_set0_factors(rsa, bnP, bnQ))

- +        {

- +            BN_free(bnP);

- +            BN_free(bnQ);

- +            return 0;

- +        }

- +

- +        BIGNUM* bnDmp1 = MakeBignum(dmp1, dmp1Length);

- +        BIGNUM* bnDmq1 = MakeBignum(dmq1, dmq1Length);

- +        BIGNUM* bnIqmp = MakeBignum(iqmp, iqmpLength);

- +

- +        if (!RSA_set0_crt_params(rsa, bnDmp1, bnDmq1, bnIqmp))

- +        {

- +            BN_free(bnDmp1);

- +            BN_free(bnDmq1);

- +            BN_free(bnIqmp);

- +            return 0;

- +        }

- +    }

- +

- +    return 1;

-  }

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.h b/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.h

- index c4a2737ced..b075911c47 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.h

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_rsa.h

- @@ -114,14 +114,14 @@ Gets all the parameters from the RSA instance.

-  Returns 1 upon success, otherwise 0.

-  */

-  extern "C" int32_t CryptoNative_GetRsaParameters(const RSA* rsa,

- -                                                 BIGNUM** n,

- -                                                 BIGNUM** e,

- -                                                 BIGNUM** d,

- -                                                 BIGNUM** p,

- -                                                 BIGNUM** dmp1,

- -                                                 BIGNUM** q,

- -                                                 BIGNUM** dmq1,

- -                                                 BIGNUM** iqmp);

- +                                                const BIGNUM** n,

- +                                                const BIGNUM** e,

- +                                                const BIGNUM** d,

- +                                                const BIGNUM** p,

- +                                                const BIGNUM** dmp1,

- +                                                const BIGNUM** q,

- +                                                const BIGNUM** dmq1,

- +                                                const BIGNUM** iqmp);

-  

-  /*

-  Sets all the parameters on the RSA instance.

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.cpp

- index 0d87a8a5f1..b0ebba0ce1 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.cpp

- @@ -3,6 +3,7 @@

-  // See the LICENSE file in the project root for more information.

-  

-  #include "pal_ssl.h"

- +#include "openssl.h"

-  

-  #include <assert.h>

-  #include <string.h>

- @@ -16,16 +17,34 @@ static_assert(PAL_SSL_ERROR_ZERO_RETURN == SSL_ERROR_ZERO_RETURN, "");

-  

-  extern "C" int32_t CryptoNative_EnsureOpenSslInitialized();

-  

- -extern "C" void CryptoNative_EnsureLibSslInitialized()

- +#ifdef NEED_OPENSSL_1_0

- +static void EnsureLibSsl10Initialized()

-  {

- -    CryptoNative_EnsureOpenSslInitialized();

-      SSL_library_init();

-      SSL_load_error_strings();

-  }

- +#endif

- +

- +extern "C" void CryptoNative_EnsureLibSslInitialized()

- +{

- +    CryptoNative_EnsureOpenSslInitialized();

- +

- +    // If portable, call the 1.0 initializer when needed.

- +    // If 1.0, call it statically.

- +    // In 1.1 no action is required, since EnsureOpenSslInitialized does both libraries.

- +#ifdef FEATURE_DISTRO_AGNOSTIC_SSL

- +    if (API_EXISTS(SSL_state))

- +    {

- +        EnsureLibSsl10Initialized();

- +    }

- +#elif OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0_RTM

- +    EnsureLibSsl10Initialized();

- +#endif

- +}

-  

-  extern "C" const SSL_METHOD* CryptoNative_SslV2_3Method()

-  {

- -    const SSL_METHOD* method = SSLv23_method();

- +    const SSL_METHOD* method = TLS_method();

-      assert(method != nullptr);

-      return method;

-  }

- @@ -51,19 +70,39 @@ Returns 1 on success, 0 on failure.

-  */

-  static long TrySetECDHNamedCurve(SSL_CTX* ctx)

-  {

- -	long result = 0;

- -#ifdef SSL_CTX_set_ecdh_auto

- -	result = SSL_CTX_set_ecdh_auto(ctx, 1);

- -#else

- -	EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);

- -	if (ecdh != nullptr)

- -	{

- -		result = SSL_CTX_set_tmp_ecdh(ctx, ecdh);

- -		EC_KEY_free(ecdh);

- -	}

- +#ifdef NEED_OPENSSL_1_0

- +    long result = 0;

- +    unsigned long version = OpenSSL_version_num();

- +

- +    if (version >= OPENSSL_VERSION_1_1_0_RTM)

- +    {

- +        // OpenSSL 1.1+ automatically set up ECDH

- +        result = 1;

- +    }

- +    else if (version >= OPENSSL_VERSION_1_0_2_RTM)

- +    {

- +#ifndef SSL_CTRL_SET_ECDH_AUTO

- +#define SSL_CTRL_SET_ECDH_AUTO 94

-  #endif

- +        // Expanded form of SSL_CTX_set_ecdh_auto(ctx, 1)

- +        result = SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, nullptr);

- +    }

- +    else

- +    {

- +        EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);

- +

- +        if (ecdh != nullptr)

- +        {

- +            result = SSL_CTX_set_tmp_ecdh(ctx, ecdh);

- +            EC_KEY_free(ecdh);

- +        }

- +    }

-  

-  	return result;

- +#else

- +    (void)ctx;

- +    return 1;

- +#endif

-  }

-  

-  extern "C" void CryptoNative_SetProtocolOptions(SSL_CTX* ctx, SslProtocols protocols)

- @@ -80,7 +119,7 @@ extern "C" void CryptoNative_SetProtocolOptions(SSL_CTX* ctx, SslProtocols proto

-          return;

-      }

-  

- -    long protocolOptions = 0;

- +    unsigned long protocolOptions = 0;

-  

-      if ((protocols & PAL_SSL_SSL2) != PAL_SSL_SSL2)

-      {

- @@ -94,20 +133,26 @@ extern "C" void CryptoNative_SetProtocolOptions(SSL_CTX* ctx, SslProtocols proto

-      {

-          protocolOptions |= SSL_OP_NO_TLSv1;

-      }

- -#if HAVE_TLS_V1_1

-      if ((protocols & PAL_SSL_TLS11) != PAL_SSL_TLS11)

-      {

-          protocolOptions |= SSL_OP_NO_TLSv1_1;

-      }

- -#endif

- -#if HAVE_TLS_V1_2

-      if ((protocols & PAL_SSL_TLS12) != PAL_SSL_TLS12)

-      {

-          protocolOptions |= SSL_OP_NO_TLSv1_2;

-      }

- +

- +    // protocol options were specified, and there's no handler yet for TLS 1.3.

- +#ifndef SSL_OP_NO_TLSv1_3

- +#define SSL_OP_NO_TLSv1_3 0x20000000U

-  #endif

- +    protocolOptions |= SSL_OP_NO_TLSv1_3;

-  

- +    // OpenSSL 1.0 calls this long, OpenSSL 1.1 calls it unsigned long.

- +#pragma clang diagnostic push

- +#pragma clang diagnostic ignored "-Wsign-conversion"

-      SSL_CTX_set_options(ctx, protocolOptions);

- +#pragma clang diagnostic pop

-  }

-  

-  extern "C" SSL* CryptoNative_SslCreate(SSL_CTX* ctx)

- @@ -254,54 +299,54 @@ static ExchangeAlgorithmType MapExchangeAlgorithmType(const char* keyExchange, s

-  

-  static void GetHashAlgorithmTypeAndSize(const char* mac,

-                                          size_t macLength,

- -                                        HashAlgorithmType& dataHashAlg,

- -                                        DataHashSize& hashKeySize)

- +                                        HashAlgorithmType* dataHashAlg,

- +                                        DataHashSize* hashKeySize)

-  {

-      if (StringSpanEquals(mac, "MD5", macLength))

-      {

- -        dataHashAlg = HashAlgorithmType::Md5;

- -        hashKeySize = DataHashSize::MD5_HashKeySize;

- +        *dataHashAlg = HashAlgorithmType::Md5;

- +        *hashKeySize = DataHashSize::MD5_HashKeySize;

-          return;

-      }

-      if (StringSpanEquals(mac, "SHA1", macLength))

-      {

- -        dataHashAlg = HashAlgorithmType::Sha1;

- -        hashKeySize = DataHashSize::SHA1_HashKeySize;

- +        *dataHashAlg = HashAlgorithmType::Sha1;

- +        *hashKeySize = DataHashSize::SHA1_HashKeySize;

-          return;

-      }

-      if (StringSpanEquals(mac, "GOST94", macLength))

-      {

- -        dataHashAlg = HashAlgorithmType::SSL_GOST94;

- -        hashKeySize = DataHashSize::GOST_HashKeySize;

- +        *dataHashAlg = HashAlgorithmType::SSL_GOST94;

- +        *hashKeySize = DataHashSize::GOST_HashKeySize;

-          return;

-      }

-      if (StringSpanEquals(mac, "GOST89", macLength))

-      {

- -        dataHashAlg = HashAlgorithmType::SSL_GOST89;

- -        hashKeySize = DataHashSize::GOST_HashKeySize;

- +        *dataHashAlg = HashAlgorithmType::SSL_GOST89;

- +        *hashKeySize = DataHashSize::GOST_HashKeySize;

-          return;

-      }

-      if (StringSpanEquals(mac, "SHA256", macLength))

-      {

- -        dataHashAlg = HashAlgorithmType::SSL_SHA256;

- -        hashKeySize = DataHashSize::SHA256_HashKeySize;

- +        *dataHashAlg = HashAlgorithmType::SSL_SHA256;

- +        *hashKeySize = DataHashSize::SHA256_HashKeySize;

-          return;

-      }

-      if (StringSpanEquals(mac, "SHA384", macLength))

-      {

- -        dataHashAlg = HashAlgorithmType::SSL_SHA384;

- -        hashKeySize = DataHashSize::SHA384_HashKeySize;

- +        *dataHashAlg = HashAlgorithmType::SSL_SHA384;

- +        *hashKeySize = DataHashSize::SHA384_HashKeySize;

-          return;

-      }

-      if (StringSpanEquals(mac, "AEAD", macLength))

-      {

- -        dataHashAlg = HashAlgorithmType::SSL_AEAD;

- -        hashKeySize = DataHashSize::Default;

- +        *dataHashAlg = HashAlgorithmType::SSL_AEAD;

- +        *hashKeySize = DataHashSize::Default;

-          return;

-      }

-  

- -    dataHashAlg = HashAlgorithmType::None;

- -    hashKeySize = DataHashSize::Default;

- +    *dataHashAlg = HashAlgorithmType::None;

- +    *hashKeySize = DataHashSize::Default;

-  }

-  

-  /*

- @@ -340,10 +385,10 @@ Parses the Kx, Enc, and Mac values out of the SSL_CIPHER_description and

-  maps the values to the corresponding .NET enum value.

-  */

-  static bool GetSslConnectionInfoFromDescription(const SSL_CIPHER* cipher,

- -                                                CipherAlgorithmType& dataCipherAlg,

- -                                                ExchangeAlgorithmType& keyExchangeAlg,

- -                                                HashAlgorithmType& dataHashAlg,

- -                                                DataHashSize& hashKeySize)

- +                                                CipherAlgorithmType* dataCipherAlg,

- +                                                ExchangeAlgorithmType* keyExchangeAlg,

- +                                                HashAlgorithmType* dataHashAlg,

- +                                                DataHashSize* hashKeySize)

-  {

-      const int descriptionLength = 256;

-      char description[descriptionLength] = {};

- @@ -370,8 +415,8 @@ static bool GetSslConnectionInfoFromDescription(const SSL_CIPHER* cipher,

-          return false;

-      }

-  

- -    keyExchangeAlg = MapExchangeAlgorithmType(keyExchange, keyExchangeLength);

- -    dataCipherAlg = MapCipherAlgorithmType(encryption, encryptionLength);

- +    *keyExchangeAlg = MapExchangeAlgorithmType(keyExchange, keyExchangeLength);

- +    *dataCipherAlg = MapCipherAlgorithmType(encryption, encryptionLength);

-      GetHashAlgorithmTypeAndSize(mac, macLength, dataHashAlg, hashKeySize);

-      return true;

-  }

- @@ -396,8 +441,9 @@ extern "C" int32_t CryptoNative_GetSslConnectionInfo(SSL* ssl,

-          goto err;

-      }

-  

- -    *dataKeySize = cipher->alg_bits;

- -    if (GetSslConnectionInfoFromDescription(cipher, *dataCipherAlg, *keyExchangeAlg, *dataHashAlg, *hashKeySize))

- +    SSL_CIPHER_get_bits(cipher, dataKeySize);

- +

- +    if (GetSslConnectionInfoFromDescription(cipher, dataCipherAlg, keyExchangeAlg, dataHashAlg, hashKeySize))

-      {

-          return 1;

-      }

- @@ -453,7 +499,7 @@ extern "C" int32_t CryptoNative_SslDoHandshake(SSL* ssl)

-  

-  extern "C" int32_t CryptoNative_IsSslStateOK(SSL* ssl)

-  {

- -    return SSL_state(ssl) == SSL_ST_OK;

- +    return SSL_is_init_finished(ssl);

-  }

-  

-  extern "C" X509* CryptoNative_SslGetPeerCertificate(SSL* ssl)

- @@ -517,6 +563,8 @@ CryptoNative_SslCtxSetCertVerifyCallback(SSL_CTX* ctx, SslCtxSetCertVerifyCallba

-  extern "C" int32_t CryptoNative_SetEncryptionPolicy(SSL_CTX* ctx, EncryptionPolicy policy)

-  {

-      const char* cipherString = nullptr;

- +    bool clearSecLevel = false;

- +

-      switch (policy)

-      {

-          case EncryptionPolicy::RequireEncryption:

- @@ -525,15 +573,23 @@ extern "C" int32_t CryptoNative_SetEncryptionPolicy(SSL_CTX* ctx, EncryptionPoli

-  

-          case EncryptionPolicy::AllowNoEncryption:

-              cipherString = SSL_TXT_AllIncludingNull;

- +            clearSecLevel = true;

-              break;

-  

-          case EncryptionPolicy::NoEncryption:

-              cipherString = SSL_TXT_eNULL;

- +            clearSecLevel = true;

-              break;

-      }

-  

-      assert(cipherString != nullptr);

-  

- +    if (clearSecLevel)

- +    {

- +        // No minimum security policy, same as OpenSSL 1.0

- +        SSL_CTX_set_security_level(ctx, 0);

- +    }

- +

-      return SSL_CTX_set_cipher_list(ctx, cipherString);

-  }

-  

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.cpp

- index 3118c9aa2c..b51bb77575 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.cpp

- @@ -230,12 +230,22 @@ extern "C" X509Stack* CryptoNative_X509StoreCtxGetChain(X509_STORE_CTX* ctx)

-  

-  extern "C" X509Stack* CryptoNative_X509StoreCtxGetSharedUntrusted(X509_STORE_CTX* ctx)

-  {

- -    return ctx ? ctx->untrusted : nullptr;

- +    if (ctx)

- +    {

- +        return X509_STORE_CTX_get0_untrusted(ctx);

- +    }

- +

- +    return nullptr;

-  }

-  

-  extern "C" X509* CryptoNative_X509StoreCtxGetTargetCert(X509_STORE_CTX* ctx)

-  {

- -    return ctx ? ctx->cert : nullptr;

- +    if (ctx)

- +    {

- +        return X509_STORE_CTX_get0_cert(ctx);

- +    }

- +

- +    return nullptr;

-  }

-  

-  extern "C" X509VerifyStatusCode CryptoNative_X509StoreCtxGetError(X509_STORE_CTX* ctx)

- @@ -302,7 +312,7 @@ extern "C" X509* CryptoNative_X509UpRef(X509* x509)

-  {

-      if (x509 != nullptr)

-      {

- -        CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);

- +        X509_up_ref(x509);

-      }

-  

-      return x509;

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_root.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_root.cpp

- index 2132a81836..cc11e654dd 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_root.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_x509_root.cpp

- @@ -2,6 +2,7 @@

-  // The .NET Foundation licenses this file to you under the MIT license.

-  // See the LICENSE file in the project root for more information.

-  

- +#include "pal_types.h"

-  #include "pal_x509_root.h"

-  

-  #include <assert.h>

- diff --git a/src/System.Security.Cryptography.Algorithms/src/Internal/Cryptography/OpenSslCipher.cs b/src/System.Security.Cryptography.Algorithms/src/Internal/Cryptography/OpenSslCipher.cs

- index 47912ff085..8f870feae3 100644

- --- a/src/System.Security.Cryptography.Algorithms/src/Internal/Cryptography/OpenSslCipher.cs

- +++ b/src/System.Security.Cryptography.Algorithms/src/Internal/Cryptography/OpenSslCipher.cs

- @@ -3,6 +3,7 @@

-  // See the LICENSE file in the project root for more information.

-  

-  using System;

- +using System.Buffers;

-  using System.Diagnostics;

-  using System.Security.Cryptography;

-  using Microsoft.Win32.SafeHandles;

- @@ -49,6 +50,24 @@ namespace Internal.Cryptography

-              Debug.Assert(outputOffset >= 0);

-              Debug.Assert(output.Length - outputOffset >= count);

-  

- +            // OpenSSL 1.1 does not allow partial overlap.

- +            if (input == output && inputOffset != outputOffset)

- +            {

- +                byte[] tmp = ArrayPool<byte>.Shared.Rent(count);

- +

- +                try

- +                {

- +                    int written = CipherUpdate(input, inputOffset, count, tmp, 0);

- +                    Buffer.BlockCopy(tmp, 0, output, outputOffset, written);

- +                    return written;

- +                }

- +                finally

- +                {

- +                    CryptographicOperations.ZeroMemory(tmp.AsSpan(0, count));

- +                    ArrayPool<byte>.Shared.Return(tmp);

- +                }

- +            }

- +

-              return CipherUpdate(input, inputOffset, count, output, outputOffset);

-          }

-  

- -- 

- 2.20.1

- 

@@ -1,30 +0,0 @@ 

- From fc9d3560b4a84bab784574cfe9700125065713c3 Mon Sep 17 00:00:00 2001

- From: Omair Majid <omajid@redhat.com>

- Date: Sat, 22 Dec 2018 15:06:18 -0500

- Subject: [PATCH 4/7] Use HMAC_CTX_free() instead of free() on a HMAC_CTX*

-  (#34222)

- 

- This is a leftover from before the OpenSSL 1.0/1.1 hybridization. There

- was no HMAC_CTX_free() in 1.0.

- 

- Fixes #34210

- ---

-  .../Unix/System.Security.Cryptography.Native/pal_hmac.cpp       | 2 +-

-  1 file changed, 1 insertion(+), 1 deletion(-)

- 

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.cpp

- index 539dc07683..979750cb40 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_hmac.cpp

- @@ -31,7 +31,7 @@ extern "C" HMAC_CTX* CryptoNative_HmacCreate(const uint8_t* key, int32_t keyLen,

-  

-      if (!ret)

-      {

- -        free(ctx);

- +        HMAC_CTX_free(ctx);

-          return nullptr;

-      }

-  

- -- 

- 2.20.1

- 

@@ -1,43 +0,0 @@ 

- From 60e4274ff758af0d68ba585e7286a5cddb7c4778 Mon Sep 17 00:00:00 2001

- From: Omair Majid <omajid@redhat.com>

- Date: Thu, 10 Jan 2019 18:37:24 -0500

- Subject: [PATCH 5/7] Prefer OpenSSL 1.0.x for portable builds

- 

- Future releases of .NET Core prefer OpenSSL 1.1.x. For the sake of

- compatiblity, 2.x releases should prefer 1.0.x.

- ---

-  .../opensslshim.cpp                                   | 11 +++++------

-  1 file changed, 5 insertions(+), 6 deletions(-)

- 

- diff --git a/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.cpp b/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.cpp

- index 585f7ac23f..c98869a94e 100644

- --- a/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.cpp

- +++ b/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.cpp

- @@ -47,12 +47,6 @@ bool OpenLibrary()

-          libssl = dlopen(soName, RTLD_LAZY);

-      }

-  

- -    if (libssl == nullptr)

- -    {

- -        // Prefer OpenSSL 1.1.x

- -        libssl = dlopen("libssl.so.1.1", RTLD_LAZY);

- -    }

- -

-      if (libssl == nullptr)

-      {

-          // Debian 9 has dropped support for SSLv3 and so they have bumped their soname. Let's try it

- @@ -73,6 +67,11 @@ bool OpenLibrary()

-          libssl = dlopen("libssl.so.10", RTLD_LAZY);

-      }

-  

- +    if (libssl == nullptr)

- +    {

- +        libssl = dlopen("libssl.so.1.1", RTLD_LAZY);

- +    }

- +

-      return libssl != nullptr;

-  }

-  

- -- 

- 2.20.1

- 

@@ -1,350 +0,0 @@ 

- From dfa0c242cd9b329554971cf80c094e8f58d756e3 Mon Sep 17 00:00:00 2001

- From: Jeremy Barton <jbarton@microsoft.com>

- Date: Wed, 26 Sep 2018 15:35:35 -0700

- Subject: [PATCH 6/7] Check for the specific in-use version of OpenSSL when

-  working with libcurl

- 

- Rather than check a generic 1.0/1.1, test for the specific library version that

- the crypto shim has loaded.  This makes things work when both libcurl

- and the crypto shim are using OpenSSL 1.1 and also prevents a state where two

- different copies of the library (at different patch versions) are utilized.

- ---

-  .../Interop.Initialization.cs                 |  8 +--

-  .../Interop.VersionInfo.cs                    | 44 +++++++++++-

-  .../Interop.OpenSslVersion.cs                 |  2 +-

-  .../src/System.Net.Http.csproj                |  3 +

-  .../CurlHandler.SslProvider.Linux.cs          |  8 +--

-  .../FunctionalTests/HttpClientEKUTest.cs      |  2 +-

-  ...ttpClientHandlerTest.ClientCertificates.cs | 14 +---

-  ...ientHandlerTest.ServerCertificates.Unix.cs |  9 +--

-  ...HttpClientHandlerTest.SslProtocols.Unix.cs |  3 +-

-  .../System.Net.Http.Functional.Tests.csproj   |  3 +-

-  .../tests/FunctionalTests/TestHelper.cs       | 69 +++++++++++++++++++

-  11 files changed, 130 insertions(+), 35 deletions(-)

- 

- diff --git a/src/Common/src/Interop/Unix/System.Net.Http.Native/Interop.Initialization.cs b/src/Common/src/Interop/Unix/System.Net.Http.Native/Interop.Initialization.cs

- index eef56ec0b3..d6bcc8df02 100644

- --- a/src/Common/src/Interop/Unix/System.Net.Http.Native/Interop.Initialization.cs

- +++ b/src/Common/src/Interop/Unix/System.Net.Http.Native/Interop.Initialization.cs

- @@ -26,11 +26,11 @@ internal static partial class Interop

-  #if !SYSNETHTTP_NO_OPENSSL

-              string opensslVersion = Interop.Http.GetSslVersionDescription();

-              if (string.IsNullOrEmpty(opensslVersion) ||

- -                opensslVersion.IndexOf(Interop.Http.OpenSsl10Description, StringComparison.OrdinalIgnoreCase) != -1)

- +                opensslVersion.IndexOf(Interop.Http.OpenSslDescriptionPrefix, StringComparison.OrdinalIgnoreCase) != -1)

-              {

- -                // CURL uses OpenSSL which we must initialize first to guarantee thread-safety

- -                // Only initialize for OpenSSL/1.0, any newer versions may have mismatched

- -                // pointers, resulting in segfaults.

- +                // CURL uses OpenSSL which we must initialize first to guarantee thread-safety.

- +                // We'll wake up whatever OpenSSL we're going to run against, but might later determine that

- +                // they aren't compatible.

-                  CryptoInitializer.Initialize();

-              }

-  #endif

- diff --git a/src/Common/src/Interop/Unix/System.Net.Http.Native/Interop.VersionInfo.cs b/src/Common/src/Interop/Unix/System.Net.Http.Native/Interop.VersionInfo.cs

- index 1899fd0af3..8175159b6f 100644

- --- a/src/Common/src/Interop/Unix/System.Net.Http.Native/Interop.VersionInfo.cs

- +++ b/src/Common/src/Interop/Unix/System.Net.Http.Native/Interop.VersionInfo.cs

- @@ -3,6 +3,7 @@

-  // See the LICENSE file in the project root for more information.

-  

-  using System;

- +using System.Diagnostics;

-  using System.Runtime.InteropServices;

-  

-  internal static partial class Interop

- @@ -47,8 +48,49 @@ internal static partial class Interop

-          [DllImport(Libraries.HttpNative, EntryPoint = "HttpNative_GetSslVersionDescription")]

-          internal static extern string GetSslVersionDescription();

-  

- -        internal const string OpenSsl10Description = "openssl/1.0";

- +        internal const string OpenSslDescriptionPrefix = "OpenSSL/";

-          internal const string SecureTransportDescription = "SecureTransport";

-          internal const string LibreSslDescription = "LibreSSL";

- +

- +#if !SYSNETHTTP_NO_OPENSSL

- +        private static readonly Lazy<string> s_requiredOpenSslDescription =

- +            new Lazy<string>(() => DetermineRequiredOpenSslDescription());

- +

- +        private static readonly Lazy<bool> s_hasMatchingOpenSsl =

- +            new Lazy<bool>(() => RequiredOpenSslDescription == GetSslVersionDescription());

- +

- +        internal static string RequiredOpenSslDescription => s_requiredOpenSslDescription.Value;

- +        internal static bool HasMatchingOpenSslVersion => s_hasMatchingOpenSsl.Value;

- +

- +        private static string DetermineRequiredOpenSslDescription()

- +        {

- +            string versionDescription = Interop.OpenSsl.OpenSslVersionDescription();

- +            var version = versionDescription.AsSpan();

- +

- +            // OpenSSL version description looks like this:

- +            //

- +            // OpenSSL 1.1.1 FIPS  11 Sep 2018

- +            //

- +            // libcurl's OpenSSL vtls backend ignores status in the version string.

- +            // Major, minor, and fix are encoded (by libcurl) as unpadded hex

- +            // (0 => "0", 15 => "f", 16 => "10").

- +            //

- +            // Patch is encoded as in the way OpenSSL would do it.

- +

- +            string prefix = "OpenSSL ";

- +            if (version.StartsWith(prefix))

- +            {

- +                version = version.Slice(prefix.Length).Trim();

- +            }

- +            int end = version.IndexOf(" ");

- +            if (end != -1)

- +            {

- +                version = version.Slice(0, end);

- +            }

- +            version = version.Trim();

- +

- +            return $"{OpenSslDescriptionPrefix}{version.ToString()}";

- +        }

- +#endif

-      }

-  }

- diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSslVersion.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSslVersion.cs

- index 70805706ef..13c2339ce6 100644

- --- a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSslVersion.cs

- +++ b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSslVersion.cs

- @@ -12,7 +12,7 @@ internal static partial class Interop

-          private static Version s_opensslVersion;

-  

-          [DllImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_SSLEayVersion")]

- -        private static extern string OpenSslVersionDescription();

- +        internal static extern string OpenSslVersionDescription();

-  

-          internal static Version OpenSslVersion

-          {

- diff --git a/src/System.Net.Http/src/System.Net.Http.csproj b/src/System.Net.Http/src/System.Net.Http.csproj

- index 66e5b8d5f8..34b4d22e15 100644

- --- a/src/System.Net.Http/src/System.Net.Http.csproj

- +++ b/src/System.Net.Http/src/System.Net.Http.csproj

- @@ -500,6 +500,9 @@

-      <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.Crypto.cs">

-        <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.Crypto.cs</Link>

-      </Compile>

- +    <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.OpenSslVersion.cs">

- +      <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.OpenSslVersion.cs</Link>

- +    </Compile>

-      <Compile Include="$(CommonPath)\Interop\Unix\System.Security.Cryptography.Native\Interop.Ssl.cs">

-        <Link>Common\Interop\Unix\System.Security.Cryptography.Native\Interop.Ssl.cs</Link>

-      </Compile>

- diff --git a/src/System.Net.Http/src/System/Net/Http/CurlHandler/CurlHandler.SslProvider.Linux.cs b/src/System.Net.Http/src/System/Net/Http/CurlHandler/CurlHandler.SslProvider.Linux.cs

- index 55e583e137..2fdcde686d 100644

- --- a/src/System.Net.Http/src/System/Net/Http/CurlHandler/CurlHandler.SslProvider.Linux.cs

- +++ b/src/System.Net.Http/src/System/Net/Http/CurlHandler/CurlHandler.SslProvider.Linux.cs

- @@ -55,7 +55,7 @@ namespace System.Net.Http

-  

-                  // Configure the options.  Our best support is when targeting OpenSSL/1.0.  For other backends,

-                  // we fall back to a minimal amount of support, and may throw a PNSE based on the options requested.

- -                if (CurlSslVersionDescription.IndexOf(Interop.Http.OpenSsl10Description, StringComparison.OrdinalIgnoreCase) != -1)

- +                if (Interop.Http.HasMatchingOpenSslVersion)

-                  {

-                      // Register the callback with libcurl.  We need to register even if there's no user-provided

-                      // server callback and even if there are no client certificates, because we support verifying

- @@ -169,12 +169,12 @@ namespace System.Net.Http

-              {

-                  if (certProvider != null)

-                  {

- -                    throw new PlatformNotSupportedException(SR.Format(SR.net_http_libcurl_clientcerts_notsupported_sslbackend, CurlVersionDescription, CurlSslVersionDescription, Interop.Http.OpenSsl10Description));

- +                    throw new PlatformNotSupportedException(SR.Format(SR.net_http_libcurl_clientcerts_notsupported_sslbackend, CurlVersionDescription, CurlSslVersionDescription, Interop.Http.RequiredOpenSslDescription));

-                  }

-  

-                  if (easy._handler.CheckCertificateRevocationList)

-                  {

- -                    throw new PlatformNotSupportedException(SR.Format(SR.net_http_libcurl_revocation_notsupported_sslbackend, CurlVersionDescription, CurlSslVersionDescription, Interop.Http.OpenSsl10Description));

- +                    throw new PlatformNotSupportedException(SR.Format(SR.net_http_libcurl_revocation_notsupported_sslbackend, CurlVersionDescription, CurlSslVersionDescription, Interop.Http.RequiredOpenSslDescription));

-                  }

-  

-                  if (easy._handler.ServerCertificateCustomValidationCallback != null)

- @@ -187,7 +187,7 @@ namespace System.Net.Http

-                      }

-                      else

-                      {

- -                        throw new PlatformNotSupportedException(SR.Format(SR.net_http_libcurl_callback_notsupported_sslbackend, CurlVersionDescription, CurlSslVersionDescription, Interop.Http.OpenSsl10Description));

- +                        throw new PlatformNotSupportedException(SR.Format(SR.net_http_libcurl_callback_notsupported_sslbackend, CurlVersionDescription, CurlSslVersionDescription, Interop.Http.RequiredOpenSslDescription));

-                      }

-                  }

-                  else

- diff --git a/src/System.Net.Http/tests/FunctionalTests/HttpClientEKUTest.cs b/src/System.Net.Http/tests/FunctionalTests/HttpClientEKUTest.cs

- index c6badc770e..9ac90390e3 100644

- --- a/src/System.Net.Http/tests/FunctionalTests/HttpClientEKUTest.cs

- +++ b/src/System.Net.Http/tests/FunctionalTests/HttpClientEKUTest.cs

- @@ -22,7 +22,7 @@ namespace System.Net.Http.Functional.Tests

-  #if TargetsWindows

-              true;

-  #else

- -            Interop.Http.GetSslVersionDescription()?.StartsWith(Interop.Http.OpenSsl10Description, StringComparison.OrdinalIgnoreCase) ?? false;

- +            TestHelper.NativeHandlerSupportsSslConfiguration();

-  #endif

-  

-          private static bool CanTestCertificates =>

- diff --git a/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.ClientCertificates.cs b/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.ClientCertificates.cs

- index 78d0fdb09f..217726db64 100644

- --- a/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.ClientCertificates.cs

- +++ b/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.ClientCertificates.cs

- @@ -319,19 +319,7 @@ namespace System.Net.Http.Functional.Tests

-  #if TargetsWindows

-                  return true;

-  #else

- -                if (UseSocketsHttpHandler)

- -                {

- -                    return true;

- -                }

- -

- -                if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))

- -                {

- -                    return false;

- -                }

- -

- -                // For other Unix-based systems it's true if (and only if) the openssl backend

- -                // is used with libcurl.

- -                return (Interop.Http.GetSslVersionDescription()?.StartsWith(Interop.Http.OpenSsl10Description, StringComparison.OrdinalIgnoreCase) ?? false);

- +                return TestHelper.NativeHandlerSupportsSslConfiguration();

-  #endif

-              }

-          }

- diff --git a/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.ServerCertificates.Unix.cs b/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.ServerCertificates.Unix.cs

- index d19a63f598..eb38f93615 100644

- --- a/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.ServerCertificates.Unix.cs

- +++ b/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.ServerCertificates.Unix.cs

- @@ -58,14 +58,7 @@ namespace System.Net.Http.Functional.Tests

-                      return true;

-                  }

-  

- -                if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))

- -                {

- -                    return false;

- -                }

- -

- -                // For other Unix-based systems it's true if (and only if) the openssl backend

- -                // is used with libcurl.

- -                return (Interop.Http.GetSslVersionDescription()?.StartsWith(Interop.Http.OpenSsl10Description, StringComparison.OrdinalIgnoreCase) ?? false);

- +                return TestHelper.NativeHandlerSupportsSslConfiguration();

-              }

-          }

-  

- diff --git a/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.SslProtocols.Unix.cs b/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.SslProtocols.Unix.cs

- index 615f2cb4fa..e7631e3940 100644

- --- a/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.SslProtocols.Unix.cs

- +++ b/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.SslProtocols.Unix.cs

- @@ -17,7 +17,6 @@ namespace System.Net.Http.Functional.Tests

-      public abstract partial class HttpClientHandler_SslProtocols_Test

-      {

-          private bool BackendSupportsSslConfiguration =>

- -            UseSocketsHttpHandler ||

- -            (Interop.Http.GetSslVersionDescription()?.StartsWith(Interop.Http.OpenSsl10Description, StringComparison.OrdinalIgnoreCase) ?? false);

- +            UseSocketsHttpHandler || TestHelper.NativeHandlerSupportsSslConfiguration();

-      }

-  }

- diff --git a/src/System.Net.Http/tests/FunctionalTests/System.Net.Http.Functional.Tests.csproj b/src/System.Net.Http/tests/FunctionalTests/System.Net.Http.Functional.Tests.csproj

- index 68c87c2b6e..b3b9d2437d 100644

- --- a/src/System.Net.Http/tests/FunctionalTests/System.Net.Http.Functional.Tests.csproj

- +++ b/src/System.Net.Http/tests/FunctionalTests/System.Net.Http.Functional.Tests.csproj

- @@ -5,6 +5,7 @@

-      <ProjectGuid>{C85CF035-7804-41FF-9557-48B7C948B58D}</ProjectGuid>

-      <DefineConstants Condition="'$(TargetGroup)'=='netcoreapp'">$(DefineConstants);netcoreapp</DefineConstants>

-      <DefineConstants Condition="'$(TargetsWindows)'=='true'">$(DefineConstants);TargetsWindows</DefineConstants>

- +    <DefineConstants>$(DefineConstants);SYSNETHTTP_NO_OPENSSL</DefineConstants>

-      <AllowUnsafeBlocks>true</AllowUnsafeBlocks>

-    </PropertyGroup>

-    <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'netcoreapp-Unix-Debug|AnyCPU'" />

- @@ -169,4 +170,4 @@

-      <Service Include="{82A7F48D-3B50-4B1E-B82E-3ADA8210C358}" />

-    </ItemGroup>

-    <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), dir.targets))\dir.targets" />

- -</Project>

- \ No newline at end of file

- +</Project>

- diff --git a/src/System.Net.Http/tests/FunctionalTests/TestHelper.cs b/src/System.Net.Http/tests/FunctionalTests/TestHelper.cs

- index 9bf6f216d1..2e29128a92 100644

- --- a/src/System.Net.Http/tests/FunctionalTests/TestHelper.cs

- +++ b/src/System.Net.Http/tests/FunctionalTests/TestHelper.cs

- @@ -6,6 +6,8 @@ using System.Collections.Generic;

-  using System.Linq;

-  using System.Net.NetworkInformation;

-  using System.Net.Security;

- +using System.Reflection;

- +using System.Runtime.InteropServices;

-  using System.Security.Cryptography;

-  using System.Security.Cryptography.X509Certificates;

-  using System.Text;

- @@ -107,5 +109,72 @@ namespace System.Net.Http.Functional.Tests

-                  .Select(a => a.Address)

-                  .Where(a => a.IsIPv6LinkLocal)

-                  .FirstOrDefault();

- +

- +        public static void EnsureHttp2Feature(HttpClientHandler handler)

- +        {

- +            // All .NET Core implementations of HttpClientHandler have HTTP/2 enabled by default except when using

- +            // SocketsHttpHandler. Right now, the HTTP/2 feature is disabled on SocketsHttpHandler unless certain

- +            // AppContext switches or environment variables are set. To help with testing, we can enable the HTTP/2

- +            // feature for a specific handler instance by using reflection.

- +            FieldInfo field_socketsHttpHandler = typeof(HttpClientHandler).GetField(

- +                "_socketsHttpHandler",

- +                BindingFlags.NonPublic | BindingFlags.Instance);

- +            if (field_socketsHttpHandler == null)

- +            {

- +                // Not using .NET Core implementation, i.e. could be .NET Framework or UAP.

- +                return;

- +            }

- +

- +            object _socketsHttpHandler = field_socketsHttpHandler.GetValue(handler);

- +            if (_socketsHttpHandler == null)

- +            {

- +                // Not using SocketsHttpHandler, i.e. using WinHttpHandler or CurlHandler.

- +                return;

- +            }

- +

- +            // Get HttpConnectionSettings object from SocketsHttpHandler.

- +            Type type_SocketsHttpHandler = typeof(HttpClientHandler).Assembly.GetType("System.Net.Http.SocketsHttpHandler");

- +            FieldInfo field_settings = type_SocketsHttpHandler.GetField(

- +                "_settings",

- +                BindingFlags.NonPublic | BindingFlags.Instance);

- +            Assert.NotNull(field_settings);

- +            object _settings = field_settings.GetValue(_socketsHttpHandler);

- +            Assert.NotNull(_settings);

- +

- +            // Set _maxHttpVersion field to HTTP/2.0.

- +            Type type_HttpConnectionSettings = typeof(HttpClientHandler).Assembly.GetType("System.Net.Http.HttpConnectionSettings");

- +            FieldInfo field_maxHttpVersion = type_HttpConnectionSettings.GetField(

- +                "_maxHttpVersion",

- +                BindingFlags.NonPublic | BindingFlags.Instance);

- +            field_maxHttpVersion.SetValue(_settings, new Version(2, 0));

- +        }

- +

- +        public static bool NativeHandlerSupportsSslConfiguration()

- +        {

- +#if TargetsWindows

- +            return true;

- +#else

- +            if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))

- +            {

- +                return false;

- +            }

- +

- +            // For other Unix-based systems it's true if (and only if) the currect openssl backend

- +            // is used with libcurl.

- +            bool hasAnyOpenSsl =

- +                Interop.Http.GetSslVersionDescription()?.StartsWith(Interop.Http.OpenSslDescriptionPrefix, StringComparison.OrdinalIgnoreCase) ?? false;

- +

- +            if (!hasAnyOpenSsl)

- +            {

- +                return false;

- +            }

- +

- +            // We're on an OpenSSL-based system, with an OpenSSL backend.

- +            // Ask the product how it feels about this.

- +            Type interopHttp = typeof(HttpClient).Assembly.GetType("Interop+Http");

- +            PropertyInfo hasMatchingOpenSslVersion = interopHttp.GetProperty("HasMatchingOpenSslVersion", BindingFlags.Static | BindingFlags.NonPublic);

- +            return (bool)hasMatchingOpenSslVersion.GetValue(null);

- +#endif

- +        }

-      }

-  }

- -- 

- 2.20.1

- 

@@ -1,28 +0,0 @@ 

- From 15bfd45926678221a3191f092243cf88d89298e9 Mon Sep 17 00:00:00 2001

- From: Omair Majid <omajid@redhat.com>

- Date: Tue, 15 Jan 2019 11:00:03 -0500

- Subject: [PATCH 7/7] Relax the OpenSSL error checking code

- 

- OpenSSL 1.0 and 1.1 have different messages for the errors, but the same

- error code. So only check the error code, not the exact error message.

- 

- This is a port of #30889.

- ---

-  .../tests/CtorTests.cs                                           | 1 -

-  1 file changed, 1 deletion(-)

- 

- diff --git a/src/System.Security.Cryptography.X509Certificates/tests/CtorTests.cs b/src/System.Security.Cryptography.X509Certificates/tests/CtorTests.cs

- index da6e2630c0..24c7361500 100644

- --- a/src/System.Security.Cryptography.X509Certificates/tests/CtorTests.cs

- +++ b/src/System.Security.Cryptography.X509Certificates/tests/CtorTests.cs

- @@ -355,7 +355,6 @@ namespace System.Security.Cryptography.X509Certificates.Tests

-              else // Any Unix

-              {

-                  Assert.Equal(0x0D07803A, ex.HResult);

- -                Assert.Equal("error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error", ex.Message);

-              }

-          }

-  

- -- 

- 2.20.1

- 

@@ -1,206 +0,0 @@ 

- diff --git a/pkg/Microsoft.NETCore.Platforms/runtime.compatibility.json b/pkg/Microsoft.NETCore.Platforms/runtime.compatibility.json

- index 7272b5de10..99fd8de923 100644

- --- a/pkg/Microsoft.NETCore.Platforms/runtime.compatibility.json

- +++ b/pkg/Microsoft.NETCore.Platforms/runtime.compatibility.json

- @@ -4923,6 +4923,123 @@

-      "any",

-      "base"

-    ],

- +  "rhel.8": [

- +    "rhel.8",

- +    "rhel",

- +    "linux",

- +    "unix",

- +    "any",

- +    "base"

- +  ],

- +  "rhel.8-corert": [

- +    "rhel.8-corert",

- +    "rhel.8",

- +    "rhel-corert",

- +    "rhel",

- +    "linux-corert",

- +    "linux",

- +    "unix-corert",

- +    "unix",

- +    "corert",

- +    "any",

- +    "base"

- +  ],

- +  "rhel.8-x64": [

- +    "rhel.8-x64",

- +    "rhel.8",

- +    "rhel-x64",

- +    "rhel",

- +    "linux-x64",

- +    "linux",

- +    "unix-x64",

- +    "unix",

- +    "any",

- +    "base"

- +  ],

- +  "rhel.8-x64-corert": [

- +    "rhel.8-x64-corert",

- +    "rhel.8-corert",

- +    "rhel.8-x64",

- +    "rhel.8",

- +    "rhel-x64-corert",

- +    "rhel-corert",

- +    "rhel-x64",

- +    "rhel",

- +    "linux-x64-corert",

- +    "linux-corert",

- +    "linux-x64",

- +    "linux",

- +    "unix-x64-corert",

- +    "unix-corert",

- +    "unix-x64",

- +    "unix",

- +    "corert",

- +    "any",

- +    "base"

- +  ],

- +  "rhel.8.0": [

- +    "rhel.8.0",

- +    "rhel.8",

- +    "rhel",

- +    "linux",

- +    "unix",

- +    "any",

- +    "base"

- +  ],

- +  "rhel.8.0-corert": [

- +    "rhel.8.0-corert",

- +    "rhel.8.0",

- +    "rhel.8-corert",

- +    "rhel.8",

- +    "rhel-corert",

- +    "rhel",

- +    "linux-corert",

- +    "linux",

- +    "unix-corert",

- +    "unix",

- +    "corert",

- +    "any",

- +    "base"

- +  ],

- +  "rhel.8.0-x64": [

- +    "rhel.8.0-x64",

- +    "rhel.8.0",

- +    "rhel.8-x64",

- +    "rhel.8",

- +    "rhel-x64",

- +    "rhel",

- +    "linux-x64",

- +    "linux",

- +    "unix-x64",

- +    "unix",

- +    "any",

- +    "base"

- +  ],

- +  "rhel.8.0-x64-corert": [

- +    "rhel.8.0-x64-corert",

- +    "rhel.8.0-corert",

- +    "rhel.8.0-x64",

- +    "rhel.8.0",

- +    "rhel.8-x64-corert",

- +    "rhel.8-corert",

- +    "rhel.8-x64",

- +    "rhel.8",

- +    "rhel-x64-corert",

- +    "rhel-corert",

- +    "rhel-x64",

- +    "rhel",

- +    "linux-x64-corert",

- +    "linux-corert",

- +    "linux-x64",

- +    "linux",

- +    "unix-x64-corert",

- +    "unix-corert",

- +    "unix-x64",

- +    "unix",

- +    "corert",

- +    "any",

- +    "base"

- +  ],

-    "sles": [

-      "sles",

-      "linux",

- diff --git a/pkg/Microsoft.NETCore.Platforms/runtime.json b/pkg/Microsoft.NETCore.Platforms/runtime.json

- index e57332c62c..fc56341c7e 100644

- --- a/pkg/Microsoft.NETCore.Platforms/runtime.json

- +++ b/pkg/Microsoft.NETCore.Platforms/runtime.json

- @@ -1800,6 +1800,56 @@

-          "rhel.7.5-x64-corert"

-        ]

-      },

- +    "rhel.8": {

- +      "#import": [

- +        "rhel"

- +      ]

- +    },

- +    "rhel.8-corert": {

- +      "#import": [

- +        "rhel.8",

- +        "rhel-corert"

- +      ]

- +    },

- +    "rhel.8-x64": {

- +      "#import": [

- +        "rhel.8",

- +        "rhel-x64"

- +      ]

- +    },

- +    "rhel.8-x64-corert": {

- +      "#import": [

- +        "rhel.8-corert",

- +        "rhel.8-x64",

- +        "rhel.8",

- +        "rhel-x64-corert"

- +      ]

- +    },

- +    "rhel.8.0": {

- +      "#import": [

- +        "rhel.8"

- +      ]

- +    },

- +    "rhel.8.0-corert": {

- +      "#import": [

- +        "rhel.8.0",

- +        "rhel.8-corert"

- +      ]

- +    },

- +    "rhel.8.0-x64": {

- +      "#import": [

- +        "rhel.8.0",

- +        "rhel.8-x64"

- +      ]

- +    },

- +    "rhel.8.0-x64-corert": {

- +      "#import": [

- +        "rhel.8.0-corert",

- +        "rhel.8.0-x64",

- +        "rhel.8.0",

- +        "rhel.8-x64-corert"

- +      ]

- +    },

-      "sles": {

-        "#import": [

-          "linux"

- diff --git a/pkg/Microsoft.NETCore.Platforms/runtimeGroups.props b/pkg/Microsoft.NETCore.Platforms/runtimeGroups.props

- index cc93f8bf91..21f6109824 100644

- --- a/pkg/Microsoft.NETCore.Platforms/runtimeGroups.props

- +++ b/pkg/Microsoft.NETCore.Platforms/runtimeGroups.props

- @@ -103,6 +103,12 @@

-        <Versions>7;7.0;7.1;7.2;7.3;7.4;7.5;7.6</Versions>

-      </RuntimeGroup>

-  

- +    <RuntimeGroup Include="rhel">

- +      <Parent>linux</Parent>

- +      <Architectures>x64</Architectures>

- +      <Versions>8;8.0</Versions>

- +    </RuntimeGroup>

- +

-      <RuntimeGroup Include="sles">

-        <Parent>linux</Parent>

-        <Architectures>x64</Architectures>

file modified
+31 -34
@@ -14,7 +14,7 @@ 

  

  # Filter flags not supported by clang/dotnet:

  #  -fcf-protection is not supported by clang

- #  -fstack-clask-protection is not supported by clang

+ #  -fstack-clash-protection is not supported by clang

  #  -specs= is not supported by clang

  %global dotnet_cflags %(echo %optflags | sed -e 's/-fcf-protection//' | sed -e 's/-fstack-clash-protection//' | sed -re 's/-specs=[^ ]*//g')

  %global dotnet_ldflags %(echo %{__global_ldflags} | sed -re 's/-specs=[^ ]*//g')
@@ -27,9 +27,9 @@ 

  

  %global simple_name dotnet

  

- %global host_version 2.1.9

- %global sdk_version 2.1.505

- %global runtime_version 2.1.9

+ %global host_version 2.1.10

+ %global sdk_version 2.1.506

+ %global runtime_version 2.1.10

  

  Name:           %{simple_name}2.1

  Version:        %{sdk_version}
@@ -39,25 +39,19 @@ 

  URL:            https://github.com/dotnet/

  

  # The source is generated on a Fedora box via:

- # - git clone https://github.com/dotnet/source-build

- # - git checkout v%%{sdk_version}

- # - set environment variables + tweak sources to build

- # - ./build-source-tarball.sh dotnet-%%{sdk_version}

- # - tar cvzf dotnet-%%{sdk_version}.tar.gz dotnet-%%{sdk_version}

- 

+ # ./build-dotnet-tarball dotnet-v%%{runtime_version}

  Source0:        dotnet-v%{runtime_version}.tar.gz

  Source1:        check-debug-symbols.py

  Source2:        dotnet.sh

  

- Patch10:        corefx-optflags-support.patch

- Patch11:        corefx-32956-alpn.patch

- Patch12:        corefx-rhel-runtime-ids.patch

+ Patch100:       corefx-32956-alpn.patch

+ Patch101:       corefx-optflags-support.patch

  

- Patch100:       coreclr-build-python3.patch

- Patch101:       coreclr-cmake-python3.patch

- Patch102:       coreclr-mscorlib.patch

- Patch103:       coreclr-pie.patch

- Patch104:       coreclr-assembly-hex-constants.patch

+ Patch200:       coreclr-build-python3.patch

+ Patch201:       coreclr-cmake-python3.patch

+ Patch202:       coreclr-mscorlib.patch

+ Patch203:       coreclr-pie.patch

+ Patch204:       coreclr-assembly-hex-constants.patch

  

  Patch300:       core-setup-4510-commit-id.patch

  Patch301:       core-setup-pie.patch
@@ -215,24 +209,32 @@ 

  It particularly focuses on creating console applications, web

  applications and micro-services.

  

+ 

  %prep

  %setup -q -n %{simple_name}-v%{runtime_version}

  

  # Fix bad hardcoded path in build

  sed -i 's|/usr/share/dotnet|%{_libdir}/%{simple_name}|' src/core-setup/src/corehost/common/pal.unix.cpp

  

+ %if %{use_bundled_libunwind}

+ # Use bundled libunwind

+ sed -i 's|-DCLR_CMAKE_USE_SYSTEM_LIBUNWIND=TRUE|-DCLR_CMAKE_USE_SYSTEM_LIBUNWIND=FALSE|' repos/coreclr.proj

+ %endif

+ 

+ # Disable warnings

+ sed -i 's|skiptests|skiptests ignorewarnings|' repos/coreclr.proj

+ 

  pushd src/corefx

- %patch10 -p1

- %patch11 -p1

- %patch12 -p1

+ %patch100 -p1

+ %patch101 -p1

  popd

  

  pushd src/coreclr

- %patch100 -p1

- %patch101 -p1

- %patch102 -p1

- %patch103 -p1

- %patch104 -p1

+ %patch200 -p1

+ %patch201 -p1

+ %patch202 -p1

+ %patch203 -p1

+ %patch204 -p1

  popd

  

  pushd src/core-setup
@@ -244,14 +246,6 @@ 

  %patch400 -p1

  popd

  

- %if %{use_bundled_libunwind}

- # Use bundled libunwind

- sed -i 's|-DCLR_CMAKE_USE_SYSTEM_LIBUNWIND=TRUE|-DCLR_CMAKE_USE_SYSTEM_LIBUNWIND=FALSE|' repos/coreclr.proj

- %endif

- 

- # disable -Werror

- sed -i '/add_compile_options(-Werror)/d' src/coreclr/compileoptions.cmake

- 

  

  %build

  export CFLAGS="%{dotnet_cflags}"
@@ -335,6 +329,9 @@ 

  %{_libdir}/%{simple_name}/sdk/%{sdk_version}

  

  %changelog

+ * Fri Apr 12 2019 Omair Majid <omajid@redhat.com> - 2.1.506-1

+ - Update to .NET Core Runtime 2.1.10 and SDK 2.1.506

+ 

  * Tue Mar 26 2019 Omair Majid <omajid@redhat.com> - 2.1.505-1

  - Update to .NET Core Runtime 2.1.9 and SDK 2.1.505

  

file added
+49
@@ -0,0 +1,49 @@ 

+ #!/bin/bash

+ 

+ # Usage:

+ #     ./update-release original-name.tar.gz new-name.tar.gz

+ 

+ set -euo pipefail

+ IFS=$'\n\t'

+ 

+ positional_args=()

+ while [[ "$#" -gt 0 ]]; do

+     arg="${1}"

+     case "${arg}" in

+         -h|--help)

+             print_usage

+             exit 0

+             ;;

+         *)

+             positional_args+=("$1")

+             shift

+             ;;

+     esac

+ done

+ 

+ original_name=${positional_args[0]:-}

+ if [[ -z ${original_name} ]]; then

+     echo "error: missing original tarball name"

+     exit 1

+ fi

+ 

+ new_name=${positional_args[1]:-}

+ if [[ -z ${new_name} ]]; then

+     echo "error: missing new tarball name"

+     exit 1

+ fi

+ 

+ original_name=${original_name/%.tar.gz}

+ new_name=${new_name/.tar.gz}

+ 

+ echo "Original: ${original_name}.tar.gz"

+ echo "New name: ${new_name}.tar.gz"

+ 

+ mkdir "temp-${new_name}"

+ pushd "temp-${new_name}"

+ tar xf "../${original_name}.tar.gz"

+ mv "${original_name}" "${new_name}"

+ tar czf ../"${new_name}.tar.gz" "${new_name}"

+ rm -rf "${new_name}"

+ popd

+ rmdir "temp-${new_name}"

file modified
+9
@@ -6,6 +6,11 @@ 

  set -euo pipefail

  IFS=$'\n\t'

  

+ print_usage() {

+     echo " Usage:"

+     echo "     ./update-release runtime-version sdk-version"

+ }

+ 

  positional_args=()

  while [[ "$#" -gt 0 ]]; do

      arg="${1}"
@@ -36,6 +41,10 @@ 

      exit 1

  fi

  

+ if [[ ! -f "dotnet-v${runtime_version}.tar.gz" ]] && [[ -f "dotnet-${runtime_version}.tar.gz" ]]; then

+     ./rename-tarball "dotnet-${runtime_version}.tar.gz" "dotnet-v${runtime_version}.tar.gz"

+ fi

+ 

  if [[ ! -f "dotnet-v${runtime_version}.tar.gz" ]]; then

      ./build-dotnet-tarball "v${runtime_version}"

  fi