Merge cd9435c into e7f4ee2

cossacklabs · Jun 20, 2023 · a10bc3b · a10bc3b
2 parents e7f4ee2 + cd9435c
commit a10bc3b
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 18 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ _Code:_
   - Uncompressed EC public keys are now supported ([#959](https://github.com/cossacklabs/themis/pull/959), [#954](https://github.com/cossacklabs/themis/pull/954))
   - Themis will generate uncompressed EC public keys when `THEMIS_GEN_EC_KEY_PAIR_UNCOMPRESSED=1` environment variable is set ([#959](https://github.com/cossacklabs/themis/pull/959))
   - Increased PBKDF2 iteration count to maintain security of Secure Cell passphrase mode ([#976](https://github.com/cossacklabs/themis/pull/976)).
+  - Bumped embedded BoringSSL to the latest version ([#1004](https://github.com/cossacklabs/themis/pull/1004)).
 
   - **Soter** (low-level security core used by Themis)
 

diff --git a/src/soter/boringssl/soter.mk b/src/soter/boringssl/soter.mk
@@ -87,14 +87,12 @@ ifeq ($(RENAME_BORINGSSL_SYMBOLS),yes)
 	 $(GO) run util/read_symbols.go -out $(abspath $(BIN_PATH)/boringssl/symbols.txt) \
 	     $(abspath $(BIN_PATH)/boringssl/stage-1/crypto/libcrypto.a) \
 	     $(abspath $(BIN_PATH)/boringssl/stage-1/decrepit/libdecrepit.a)
-	@# Path to symbols must be a relative one (relative to the build directory)
-	@# because absolute paths confuse BoringSSL's make.
 	@echo "building embedded BoringSSL again with renamed symbols..."
 	@mkdir -p $(BIN_PATH)/boringssl/stage-2
 	@cd $(BIN_PATH)/boringssl/stage-2 && \
 	 $(CMAKE) $(SOTER_ENGINE_CMAKE_FLAGS) \
 	     -DBORINGSSL_PREFIX=$(SOTER_BORINGSSL_PREFIX) \
-	     -DBORINGSSL_PREFIX_SYMBOLS=../symbols.txt \
+	     -DBORINGSSL_PREFIX_SYMBOLS=$(abspath $(BIN_PATH)/boringssl/symbols.txt) \
 	     $(abspath third_party/boringssl/src)
 ifeq ($(NINJA),)
 	@$(MAKE) -C $(BIN_PATH)/boringssl/stage-2 crypto decrepit

diff --git a/src/soter/boringssl/soter_rsa_key.c b/src/soter/boringssl/soter_rsa_key.c
@@ -101,7 +101,7 @@ static bool is_mod_size_supported(unsigned mod_size)
     }
 }
 
-static soter_status_t bignum_to_bytes(BIGNUM* bn, uint8_t* to, size_t to_length)
+static soter_status_t bignum_to_bytes(const BIGNUM* bn, uint8_t* to, size_t to_length)
 {
     size_t bn_size = (size_t)BN_num_bytes(bn);
     size_t bytes_copied;
@@ -159,16 +159,16 @@ soter_status_t soter_engine_specific_to_rsa_pub_key(const soter_engine_specific_
     }
 
     pub_exp = (uint32_t*)((unsigned char*)(key + 1) + rsa_mod_size);
-    if (BN_is_word(rsa->e, RSA_F4)) {
+    if (BN_is_word(RSA_get0_e(rsa), RSA_F4)) {
         *pub_exp = htobe32(RSA_F4);
-    } else if (BN_is_word(rsa->e, RSA_3)) {
+    } else if (BN_is_word(RSA_get0_e(rsa), RSA_3)) {
         *pub_exp = htobe32(RSA_3);
     } else {
         res = SOTER_INVALID_PARAMETER;
         goto err;
     }
 
-    res = bignum_to_bytes(rsa->n, (unsigned char*)(key + 1), rsa_mod_size);
+    res = bignum_to_bytes(RSA_get0_n(rsa), (unsigned char*)(key + 1), rsa_mod_size);
     if (SOTER_SUCCESS != res) {
         goto err;
     }
@@ -225,59 +225,59 @@ soter_status_t soter_engine_specific_to_rsa_priv_key(const soter_engine_specific
     }
 
     pub_exp = (uint32_t*)(curr_bn + ((rsa_mod_size * 4) + (rsa_mod_size / 2)));
-    if (BN_is_word(rsa->e, RSA_F4)) {
+    if (BN_is_word(RSA_get0_e(rsa), RSA_F4)) {
         *pub_exp = htobe32(RSA_F4);
-    } else if (BN_is_word(rsa->e, RSA_3)) {
+    } else if (BN_is_word(RSA_get0_e(rsa), RSA_3)) {
         *pub_exp = htobe32(RSA_3);
     } else {
         res = SOTER_INVALID_PARAMETER;
         goto err;
     }
 
     /* Private exponent */
-    res = bignum_to_bytes(rsa->d, curr_bn, rsa_mod_size);
+    res = bignum_to_bytes(RSA_get0_d(rsa), curr_bn, rsa_mod_size);
     if (SOTER_SUCCESS != res) {
         goto err;
     }
     curr_bn += rsa_mod_size;
 
     /* p */
-    res = bignum_to_bytes(rsa->p, curr_bn, rsa_mod_size / 2);
+    res = bignum_to_bytes(RSA_get0_p(rsa), curr_bn, rsa_mod_size / 2);
     if (SOTER_SUCCESS != res) {
         goto err;
     }
     curr_bn += rsa_mod_size / 2;
 
     /* q */
-    res = bignum_to_bytes(rsa->q, curr_bn, rsa_mod_size / 2);
+    res = bignum_to_bytes(RSA_get0_q(rsa), curr_bn, rsa_mod_size / 2);
     if (SOTER_SUCCESS != res) {
         goto err;
     }
     curr_bn += rsa_mod_size / 2;
 
     /* dp */
-    res = bignum_to_bytes(rsa->dmp1, curr_bn, rsa_mod_size / 2);
+    res = bignum_to_bytes(RSA_get0_dmp1(rsa), curr_bn, rsa_mod_size / 2);
     if (SOTER_SUCCESS != res) {
         goto err;
     }
     curr_bn += rsa_mod_size / 2;
 
     /* dq */
-    res = bignum_to_bytes(rsa->dmq1, curr_bn, rsa_mod_size / 2);
+    res = bignum_to_bytes(RSA_get0_dmq1(rsa), curr_bn, rsa_mod_size / 2);
     if (SOTER_SUCCESS != res) {
         goto err;
     }
     curr_bn += rsa_mod_size / 2;
 
     /* qp */
-    res = bignum_to_bytes(rsa->iqmp, curr_bn, rsa_mod_size / 2);
+    res = bignum_to_bytes(RSA_get0_iqmp(rsa), curr_bn, rsa_mod_size / 2);
     if (SOTER_SUCCESS != res) {
         goto err;
     }
     curr_bn += rsa_mod_size / 2;
 
     /* modulus */
-    res = bignum_to_bytes(rsa->n, curr_bn, rsa_mod_size);
+    res = bignum_to_bytes(RSA_get0_n(rsa), curr_bn, rsa_mod_size);
     if (SOTER_SUCCESS != res) {
         goto err;
     }

diff --git a/src/soter/boringssl/soter_sign_ecdsa.c b/src/soter/boringssl/soter_sign_ecdsa.c
@@ -135,7 +135,7 @@ soter_status_t soter_sign_final_ecdsa_none_pkcs8(soter_sign_ctx_t* ctx,
     if (!pkey) {
         return SOTER_INVALID_PARAMETER;
     }
-    if (EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) {
+    if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) {
         return SOTER_INVALID_PARAMETER;
     }
     /* TODO: need review */

diff --git a/third_party/boringssl/src b/third_party/boringssl/src