Create mutable EC_GROUP API for OpenSSL compatibility #1860
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
Addresses
CryptoAlg-2547
Description of changes:
Further investigation led us to discover that Ruby depends on mutable
EC_GROUP
s from OpenSSL. These were made immutable with the introduction of our default staticEC_GROUP
curves, which have been beneficial for us and our existing consumers. This was done by making the mutable portions ofEC_GROUP
s no-ops (EC_GROUP_set_asn1_flag
andEC_GROUP_set_point_conversion_form
), which OpenSSL couldn't do due to their more complex use case.Ruby (and possibly other dynamic languages) mutates the data being stored in
EC_GROUP
and depends on it for subsequent operations. Since our default groups are static and immutable, this causes issues when integrating with Ruby. We don't want to sacrifice the benefits of static groups and reversing the optional call toEC_GROUP_free
is a dangerously silent memory leak.We've decided to introduce a special API for mutable
EC_GROUP
s for our default curves. This gives us a path forward for Ruby and keeps the benefits of static curves for existing consumers. Custom curves are already dynamically allocated so they don't need another special API, but the additional complexities for maintaining the underlyinggenerator
warrant another commit separate from this.Call-outs:
EC_GROUP_dup
andEC_GROUP_cmp
were done right.Testing:
Extended against tests using existing
EC_GROUP
s and conversion formats. These were focused on retrieving theconv_form
from theEC_GROUP
to use.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.