aws-crt 0.1.9 → 0.2.0

data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/rand_test.cc

@@ -236,75 +236,12 @@ TEST(RandTest, RdrandABI) {
 TEST(RandTest, PassiveEntropyLoad) {
   uint8_t out_entropy[CTR_DRBG_ENTROPY_LEN] = {0};
   uint8_t entropy[PASSIVE_ENTROPY_LOAD_LENGTH] = {
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-
     0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
     0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
     0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
     0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
     0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
     0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
-
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-    0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
-
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-    0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0, 0xF0,
-
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
-    0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB, 0xAB,
   };
   uint8_t expected_out_entropy[CTR_DRBG_ENTROPY_LEN] = {
     0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,

data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/windows.c

@@ -14,7 +14,9 @@
 
 #include <openssl/rand.h>
 
-#if defined(OPENSSL_WINDOWS) && !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+#include "../fipsmodule/rand/internal.h"
+
+#if defined(OPENSSL_RAND_WINDOWS)
 
 #include <limits.h>
 #include <stdlib.h>
@@ -27,19 +29,14 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3))
     !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
 #include <bcrypt.h>
 OPENSSL_MSVC_PRAGMA(comment(lib, "bcrypt.lib"))
-#else
-// #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036.  See the
-// "Community Additions" comment on MSDN here:
-// http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx
-#define SystemFunction036 NTAPI SystemFunction036
-#include <ntsecapi.h>
-#undef SystemFunction036
 #endif  // WINAPI_PARTITION_APP && !WINAPI_PARTITION_DESKTOP
 
 OPENSSL_MSVC_PRAGMA(warning(pop))
 
-#include "../fipsmodule/rand/internal.h"
+#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) && \
+    !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
 
+void CRYPTO_init_sysrand(void) {}
 
 void CRYPTO_sysrand(uint8_t *out, size_t requested) {
   while (requested > 0) {
@@ -47,27 +44,52 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) {
     if (requested < output_bytes_this_pass) {
       output_bytes_this_pass = (ULONG)requested;
     }
-    // On non-UWP configurations, use RtlGenRandom instead of BCryptGenRandom
-    // to avoid accessing resources that may be unavailable inside the
-    // Chromium sandbox. See https://crbug.com/boringssl/307
-#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) && \
-    !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
     if (!BCRYPT_SUCCESS(BCryptGenRandom(
             /*hAlgorithm=*/NULL, out, output_bytes_this_pass,
             BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {
-#else
-    if (RtlGenRandom(out, output_bytes_this_pass) == FALSE) {
-#endif  // WINAPI_PARTITION_APP && !WINAPI_PARTITION_DESKTOP
       abort();
     }
     requested -= output_bytes_this_pass;
     out += output_bytes_this_pass;
   }
-  return;
 }
 
+#else
+
+// See: https://learn.microsoft.com/en-us/windows/win32/seccng/processprng
+typedef BOOL (WINAPI *ProcessPrngFunction)(PBYTE pbData, SIZE_T cbData);
+static ProcessPrngFunction g_processprng_fn = NULL;
+
+static void init_processprng(void) {
+  HMODULE hmod = LoadLibraryW(L"bcryptprimitives");
+  if (hmod == NULL) {
+    abort();
+  }
+  g_processprng_fn = (ProcessPrngFunction)GetProcAddress(hmod, "ProcessPrng");
+  if (g_processprng_fn == NULL) {
+    abort();
+  }
+}
+
+void CRYPTO_init_sysrand(void) {
+  static CRYPTO_once_t once = CRYPTO_ONCE_INIT;
+  CRYPTO_once(&once, init_processprng);
+}
+
+void CRYPTO_sysrand(uint8_t *out, size_t requested) {
+  CRYPTO_init_sysrand();
+  // On non-UWP configurations, use ProcessPrng instead of BCryptGenRandom
+  // to avoid accessing resources that may be unavailable inside the
+  // Chromium sandbox. See https://crbug.com/74242
+  if (!g_processprng_fn(out, requested)) {
+    abort();
+  }
+}
+
+#endif  // WINAPI_PARTITION_APP && !WINAPI_PARTITION_DESKTOP
+
 void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {
   CRYPTO_sysrand(out, requested);
 }
 
-#endif  // OPENSSL_WINDOWS && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE
+#endif  // OPENSSL_RAND_WINDOWS

data/aws-crt-ffi/crt/aws-lc/crypto/rsa_extra/rsa_test.cc

@@ -785,7 +785,7 @@ TEST(RSADeathTest, GenerateSmallKeyAndDie) {
   ASSERT_DEATH_IF_SUPPORTED(RSA_generate_key_ex(rsa.get(), 255, e.get(), nullptr), "");
 }
 #endif
-#endif 
+#endif
 
 // Attempting to generate an funny RSA key length should round down.
 TEST(RSATest, RoundKeyLengths) {
@@ -1072,7 +1072,7 @@ TEST(RSATest, KeygenFail) {
   EXPECT_FALSE(rsa->d_fixed);
   EXPECT_FALSE(rsa->dmp1_fixed);
   EXPECT_FALSE(rsa->dmq1_fixed);
-  EXPECT_FALSE(rsa->inv_small_mod_large_mont);
+  EXPECT_FALSE(rsa->iqmp_mont);
   EXPECT_FALSE(rsa->private_key_frozen);
 
   // Failed key generations leave the previous contents alone.
@@ -1166,7 +1166,7 @@ TEST(RSADeathTest, KeygenFailAndDie) {
   EXPECT_FALSE(rsa->d_fixed);
   EXPECT_FALSE(rsa->dmp1_fixed);
   EXPECT_FALSE(rsa->dmq1_fixed);
-  EXPECT_FALSE(rsa->inv_small_mod_large_mont);
+  EXPECT_FALSE(rsa->iqmp_mont);
   EXPECT_FALSE(rsa->private_key_frozen);
 
   // Failed key generations leave the previous contents alone.

data/aws-crt-ffi/crt/aws-lc/crypto/siphash/siphash.c

@@ -41,11 +41,18 @@ uint64_t SIPHASH_24(const uint64_t key[2], const uint8_t *input,
                     size_t input_len) {
   const size_t orig_input_len = input_len;
 
-  uint64_t v[4];
-  v[0] = key[0] ^ UINT64_C(0x736f6d6570736575);
-  v[1] = key[1] ^ UINT64_C(0x646f72616e646f6d);
-  v[2] = key[0] ^ UINT64_C(0x6c7967656e657261);
-  v[3] = key[1] ^ UINT64_C(0x7465646279746573);
+  uint64_t v[4], k0, k1;
+#ifdef OPENSSL_BIG_ENDIAN
+  k0 = CRYPTO_bswap8(key[0]);
+  k1 = CRYPTO_bswap8(key[1]);
+#else
+  k0 = key[0];
+  k1 = key[1];
+#endif
+  v[0] = k0 ^ UINT64_C(0x736f6d6570736575);
+  v[1] = k1 ^ UINT64_C(0x646f72616e646f6d);
+  v[2] = k0 ^ UINT64_C(0x6c7967656e657261);
+  v[3] = k1 ^ UINT64_C(0x7465646279746573);
 
   while (input_len >= sizeof(uint64_t)) {
     uint64_t m = CRYPTO_load_u64_le(input);

data/aws-crt-ffi/crt/aws-lc/crypto/siphash/siphash_test.cc

@@ -41,17 +41,17 @@ TEST(SipHash, Basic) {
 
 TEST(SipHash, Vectors) {
   FileTestGTest("crypto/siphash/siphash_tests.txt", [](FileTest *t) {
-    std::vector<uint8_t> key, msg, hash;
+    std::vector<uint8_t> key, msg, hash_bytes;
     ASSERT_TRUE(t->GetBytes(&key, "KEY"));
     ASSERT_TRUE(t->GetBytes(&msg, "IN"));
-    ASSERT_TRUE(t->GetBytes(&hash, "HASH"));
+    ASSERT_TRUE(t->GetBytes(&hash_bytes, "HASH"));
     ASSERT_EQ(16u, key.size());
-    ASSERT_EQ(8u, hash.size());
+    ASSERT_EQ(8u, hash_bytes.size());
+    uint64_t hash = CRYPTO_load_u64_le(hash_bytes.data());
 
     uint64_t key_words[2];
     memcpy(key_words, key.data(), key.size());
     uint64_t result = SIPHASH_24(key_words, msg.data(), msg.size());
-    EXPECT_EQ(Bytes(reinterpret_cast<uint8_t *>(&result), sizeof(result)),
-              Bytes(hash));
+    EXPECT_EQ(result, hash);
   });
 }

data/aws-crt-ffi/crt/aws-lc/crypto/stack/stack.c

@@ -65,16 +65,30 @@
 #include "../internal.h"
 
 
+struct stack_st {
+  // num contains the number of valid pointers in |data|.
+  size_t num;
+  void **data;
+  // sorted is non-zero if the values pointed to by |data| are in ascending
+  // order, based on |comp|.
+  int sorted;
+  // num_alloc contains the number of pointers allocated in the buffer pointed
+  // to by |data|, which may be larger than |num|.
+  size_t num_alloc;
+  // comp is an optional comparison function.
+  OPENSSL_sk_cmp_func comp;
+};
+
 // kMinSize is the number of pointers that will be initially allocated in a new
 // stack.
 static const size_t kMinSize = 4;
 
-_STACK *sk_new(OPENSSL_sk_cmp_func comp) {
-  _STACK *ret = OPENSSL_malloc(sizeof(_STACK));
+OPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_cmp_func comp) {
+  OPENSSL_STACK *ret = OPENSSL_malloc(sizeof(OPENSSL_STACK));
   if (ret == NULL) {
     return NULL;
   }
-  OPENSSL_memset(ret, 0, sizeof(_STACK));
+  OPENSSL_memset(ret, 0, sizeof(OPENSSL_STACK));
 
   ret->data = OPENSSL_malloc(sizeof(void *) * kMinSize);
   if (ret->data == NULL) {
@@ -93,16 +107,16 @@ err:
   return NULL;
 }
 
-_STACK *sk_new_null(void) { return sk_new(NULL); }
+OPENSSL_STACK *OPENSSL_sk_new_null(void) { return OPENSSL_sk_new(NULL); }
 
-size_t sk_num(const _STACK *sk) {
+size_t OPENSSL_sk_num(const OPENSSL_STACK *sk) {
   if (sk == NULL) {
     return 0;
   }
   return sk->num;
 }
 
-void sk_zero(_STACK *sk) {
+void OPENSSL_sk_zero(OPENSSL_STACK *sk) {
   if (sk == NULL || sk->num == 0) {
     return;
   }
@@ -111,21 +125,21 @@ void sk_zero(_STACK *sk) {
   sk->sorted = 0;
 }
 
-void *sk_value(const _STACK *sk, size_t i) {
+void *OPENSSL_sk_value(const OPENSSL_STACK *sk, size_t i) {
   if (!sk || i >= sk->num) {
     return NULL;
   }
   return sk->data[i];
 }
 
-void *sk_set(_STACK *sk, size_t i, void *value) {
+void *OPENSSL_sk_set(OPENSSL_STACK *sk, size_t i, void *value) {
   if (!sk || i >= sk->num) {
     return NULL;
   }
   return sk->data[i] = value;
 }
 
-void sk_free(_STACK *sk) {
+void OPENSSL_sk_free(OPENSSL_STACK *sk) {
   if (sk == NULL) {
     return;
   }
@@ -133,8 +147,9 @@ void sk_free(_STACK *sk) {
   OPENSSL_free(sk);
 }
 
-void sk_pop_free_ex(_STACK *sk, OPENSSL_sk_call_free_func call_free_func,
-                    OPENSSL_sk_free_func free_func) {
+void OPENSSL_sk_pop_free_ex(OPENSSL_STACK *sk,
+                            OPENSSL_sk_call_free_func call_free_func,
+                            OPENSSL_sk_free_func free_func) {
   if (sk == NULL) {
     return;
   }
@@ -144,7 +159,7 @@ void sk_pop_free_ex(_STACK *sk, OPENSSL_sk_call_free_func call_free_func,
       call_free_func(free_func, sk->data[i]);
     }
   }
-  sk_free(sk);
+  OPENSSL_sk_free(sk);
 }
 
 // Historically, |sk_pop_free| called the function as |OPENSSL_sk_free_func|
@@ -154,11 +169,11 @@ static void call_free_func_legacy(OPENSSL_sk_free_func func, void *ptr) {
   func(ptr);
 }
 
-void sk_pop_free(_STACK *sk, OPENSSL_sk_free_func free_func) {
-  sk_pop_free_ex(sk, call_free_func_legacy, free_func);
+void sk_pop_free(OPENSSL_STACK *sk, OPENSSL_sk_free_func free_func) {
+  OPENSSL_sk_pop_free_ex(sk, call_free_func_legacy, free_func);
 }
 
-size_t sk_insert(_STACK *sk, void *p, size_t where) {
+size_t OPENSSL_sk_insert(OPENSSL_STACK *sk, void *p, size_t where) {
   if (sk == NULL) {
     return 0;
   }
@@ -208,7 +223,7 @@ size_t sk_insert(_STACK *sk, void *p, size_t where) {
   return sk->num;
 }
 
-void *sk_delete(_STACK *sk, size_t where) {
+void *OPENSSL_sk_delete(OPENSSL_STACK *sk, size_t where) {
   void *ret;
 
   if (!sk || where >= sk->num) {
@@ -226,22 +241,23 @@ void *sk_delete(_STACK *sk, size_t where) {
   return ret;
 }
 
-void *sk_delete_ptr(_STACK *sk, const void *p) {
+void *OPENSSL_sk_delete_ptr(OPENSSL_STACK *sk, const void *p) {
   if (sk == NULL) {
     return NULL;
   }
 
   for (size_t i = 0; i < sk->num; i++) {
     if (sk->data[i] == p) {
-      return sk_delete(sk, i);
+      return OPENSSL_sk_delete(sk, i);
     }
   }
 
   return NULL;
 }
 
-void sk_delete_if(_STACK *sk, OPENSSL_sk_call_delete_if_func call_func,
-                  OPENSSL_sk_delete_if_func func, void *data) {
+void OPENSSL_sk_delete_if(OPENSSL_STACK *sk,
+                          OPENSSL_sk_call_delete_if_func call_func,
+                          OPENSSL_sk_delete_if_func func, void *data) {
   if (sk == NULL) {
     return;
   }
@@ -256,8 +272,8 @@ void sk_delete_if(_STACK *sk, OPENSSL_sk_call_delete_if_func call_func,
   sk->num = new_num;
 }
 
-int sk_find(const _STACK *sk, size_t *out_index, const void *p,
-            OPENSSL_sk_call_cmp_func call_cmp_func) {
+int OPENSSL_sk_find(const OPENSSL_STACK *sk, size_t *out_index, const void *p,
+                    OPENSSL_sk_call_cmp_func call_cmp_func) {
   if (sk == NULL) {
     return 0;
   }
@@ -279,10 +295,9 @@ int sk_find(const _STACK *sk, size_t *out_index, const void *p,
     return 0;
   }
 
-  if (!sk_is_sorted(sk)) {
+  if (!OPENSSL_sk_is_sorted(sk)) {
     for (size_t i = 0; i < sk->num; i++) {
-      const void *elem = sk->data[i];
-      if (call_cmp_func(sk->comp, &p, &elem) == 0) {
+      if (call_cmp_func(sk->comp, p, sk->data[i]) == 0) {
         if (out_index) {
           *out_index = i;
         }
@@ -301,8 +316,7 @@ int sk_find(const _STACK *sk, size_t *out_index, const void *p,
     // Bias |mid| towards |lo|. See the |r == 0| case below.
     size_t mid = lo + (hi - lo - 1) / 2;
     assert(lo <= mid && mid < hi);
-    const void *elem = sk->data[mid];
-    int r = call_cmp_func(sk->comp, &p, &elem);
+    int r = call_cmp_func(sk->comp, p, sk->data[mid]);
     if (r > 0) {
       lo = mid + 1;  // |mid| is too low.
     } else if (r < 0) {
@@ -327,38 +341,40 @@ int sk_find(const _STACK *sk, size_t *out_index, const void *p,
   return 0;  // Not found.
 }
 
-void *sk_shift(_STACK *sk) {
+void *OPENSSL_sk_shift(OPENSSL_STACK *sk) {
   if (sk == NULL) {
     return NULL;
   }
   if (sk->num == 0) {
     return NULL;
   }
-  return sk_delete(sk, 0);
+  return OPENSSL_sk_delete(sk, 0);
 }
 
-size_t sk_push(_STACK *sk, void *p) { return (sk_insert(sk, p, sk->num)); }
+size_t OPENSSL_sk_push(OPENSSL_STACK *sk, void *p) {
+  return OPENSSL_sk_insert(sk, p, sk->num);
+}
 
-void *sk_pop(_STACK *sk) {
+void *OPENSSL_sk_pop(OPENSSL_STACK *sk) {
   if (sk == NULL) {
     return NULL;
   }
   if (sk->num == 0) {
     return NULL;
   }
-  return sk_delete(sk, sk->num - 1);
+  return OPENSSL_sk_delete(sk, sk->num - 1);
 }
 
-_STACK *sk_dup(const _STACK *sk) {
+OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk) {
   if (sk == NULL) {
     return NULL;
   }
 
-  _STACK *ret = OPENSSL_malloc(sizeof(_STACK));
+  OPENSSL_STACK *ret = OPENSSL_malloc(sizeof(OPENSSL_STACK));
   if (ret == NULL) {
     return NULL;
   }
-  OPENSSL_memset(ret, 0, sizeof(_STACK));
+  OPENSSL_memset(ret, 0, sizeof(OPENSSL_STACK));
 
   ret->data = OPENSSL_malloc(sizeof(void *) * sk->num_alloc);
   if (ret->data == NULL) {
@@ -373,7 +389,7 @@ _STACK *sk_dup(const _STACK *sk) {
   return ret;
 
 err:
-  sk_free(ret);
+  OPENSSL_sk_free(ret);
   return NULL;
 }
 
@@ -385,11 +401,15 @@ struct sort_compare_ctx {
 
 static int sort_compare(void *ctx_v, const void *a, const void *b) {
   struct sort_compare_ctx *ctx = ctx_v;
-  return ctx->call_cmp_func(ctx->cmp_func, a, b);
+  // |a| and |b| point to |void*| pointers which contain the actual values.
+  const void *const *a_ptr = a;
+  const void *const *b_ptr = b;
+  return ctx->call_cmp_func(ctx->cmp_func, *a_ptr, *b_ptr);
 }
 #endif
 
-void sk_sort(_STACK *sk, OPENSSL_sk_call_cmp_func call_cmp_func) {
+void OPENSSL_sk_sort(OPENSSL_STACK *sk,
+                     OPENSSL_sk_call_cmp_func call_cmp_func) {
   if (sk == NULL || sk->comp == NULL || sk->sorted) {
     return;
   }
@@ -418,7 +438,7 @@ void sk_sort(_STACK *sk, OPENSSL_sk_call_cmp_func call_cmp_func) {
   sk->sorted = 1;
 }
 
-int sk_is_sorted(const _STACK *sk) {
+int OPENSSL_sk_is_sorted(const OPENSSL_STACK *sk) {
   if (!sk) {
     return 1;
   }
@@ -426,7 +446,8 @@ int sk_is_sorted(const _STACK *sk) {
   return sk->sorted || (sk->comp != NULL && sk->num < 2);
 }
 
-OPENSSL_sk_cmp_func sk_set_cmp_func(_STACK *sk, OPENSSL_sk_cmp_func comp) {
+OPENSSL_sk_cmp_func OPENSSL_sk_set_cmp_func(OPENSSL_STACK *sk,
+                                            OPENSSL_sk_cmp_func comp) {
   OPENSSL_sk_cmp_func old = sk->comp;
 
   if (sk->comp != comp) {
@@ -437,11 +458,12 @@ OPENSSL_sk_cmp_func sk_set_cmp_func(_STACK *sk, OPENSSL_sk_cmp_func comp) {
   return old;
 }
 
-_STACK *sk_deep_copy(const _STACK *sk, OPENSSL_sk_call_copy_func call_copy_func,
-                     OPENSSL_sk_copy_func copy_func,
-                     OPENSSL_sk_call_free_func call_free_func,
-                     OPENSSL_sk_free_func free_func) {
-  _STACK *ret = sk_dup(sk);
+OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk,
+                                    OPENSSL_sk_call_copy_func call_copy_func,
+                                    OPENSSL_sk_copy_func copy_func,
+                                    OPENSSL_sk_call_free_func call_free_func,
+                                    OPENSSL_sk_free_func free_func) {
+  OPENSSL_STACK *ret = OPENSSL_sk_dup(sk);
   if (ret == NULL) {
     return NULL;
   }
@@ -457,7 +479,7 @@ _STACK *sk_deep_copy(const _STACK *sk, OPENSSL_sk_call_copy_func call_copy_func,
           call_free_func(free_func, ret->data[j]);
         }
       }
-      sk_free(ret);
+      OPENSSL_sk_free(ret);
       return NULL;
     }
   }

data/aws-crt-ffi/crt/aws-lc/crypto/trust_token/pmbtoken.c

@@ -201,7 +201,7 @@ static int pmbtoken_compute_keys(const PMBTOKEN_METHOD *method,
   }
 
   const EC_SCALAR *scalars[] = {x0, y0, x1, y1, xs, ys};
-  size_t scalar_len = BN_num_bytes(&group->order);
+  size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {
     uint8_t *buf;
     if (!CBB_add_space(out_private, &buf, scalar_len)) {
@@ -290,7 +290,7 @@ static int pmbtoken_issuer_key_from_bytes(const PMBTOKEN_METHOD *method,
   const EC_GROUP *group = method->group;
   CBS cbs, tmp;
   CBS_init(&cbs, in, len);
-  size_t scalar_len = BN_num_bytes(&group->order);
+  size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
   EC_SCALAR *scalars[] = {&key->x0, &key->y0, &key->x1,
                           &key->y1, &key->xs, &key->ys};
   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {
@@ -390,7 +390,7 @@ err:
 static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
                          const EC_SCALAR *scalar) {
   uint8_t *buf;
-  size_t scalar_len = BN_num_bytes(&group->order);
+  size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
   if (!CBB_add_space(out, &buf, scalar_len)) {
     return 0;
   }
@@ -399,7 +399,7 @@ static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
 }
 
 static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {
-  size_t scalar_len = BN_num_bytes(&group->order);
+  size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
   CBS tmp;
   if (!CBS_get_bytes(cbs, &tmp, scalar_len)) {
     OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);

data/aws-crt-ffi/crt/aws-lc/crypto/trust_token/voprf.c

@@ -95,7 +95,7 @@ static int cbs_get_point(CBS *cbs, const EC_GROUP *group, EC_AFFINE *out) {
 static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
                          const EC_SCALAR *scalar) {
   uint8_t *buf;
-  size_t scalar_len = BN_num_bytes(&group->order);
+  size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
   if (!CBB_add_space(out, &buf, scalar_len)) {
     return 0;
   }
@@ -104,7 +104,7 @@ static int scalar_to_cbb(CBB *out, const EC_GROUP *group,
 }
 
 static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {
-  size_t scalar_len = BN_num_bytes(&group->order);
+  size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));
   CBS tmp;
   if (!CBS_get_bytes(cbs, &tmp, scalar_len)) {
     OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);

data/aws-crt-ffi/crt/aws-lc/crypto/x509/by_dir.c

@@ -81,7 +81,6 @@ typedef struct lookup_dir_entry_st {
 } BY_DIR_ENTRY;
 
 typedef struct lookup_dir_st {
-  BUF_MEM *buffer;
   STACK_OF(BY_DIR_ENTRY) *dirs;
 } BY_DIR;
 
@@ -141,10 +140,6 @@ static int new_dir(X509_LOOKUP *lu) {
   if ((a = (BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL) {
     return 0;
   }
-  if ((a->buffer = BUF_MEM_new()) == NULL) {
-    OPENSSL_free(a);
-    return 0;
-  }
   a->dirs = NULL;
   lu->method_data = a;
   return 1;
@@ -175,7 +170,6 @@ static void free_dir(X509_LOOKUP *lu) {
   BY_DIR *a = lu->method_data;
   if (a != NULL) {
     sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free);
-    BUF_MEM_free(a->buffer);
     OPENSSL_free(a);
   }
 }

data/aws-crt-ffi/crt/aws-lc/crypto/x509/internal.h

@@ -275,7 +275,6 @@ struct x509_lookup_method_st {
 // function is then called to actually check the cert chain.
 struct x509_store_st {
   // The following is a cache of trusted certs
-  int cache;                    // if true, stash any hits
   STACK_OF(X509_OBJECT) *objs;  // Cache of all objects
   CRYPTO_MUTEX objs_lock;
 
@@ -361,6 +360,8 @@ struct x509_store_ctx_st {
   CRYPTO_EX_DATA ex_data;
 } /* X509_STORE_CTX */;
 
+void X509_OBJECT_free_contents(X509_OBJECT *a);
+
 ASN1_TYPE *ASN1_generate_v3(const char *str, const X509V3_CTX *cnf);
 
 int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent);
@@ -371,6 +372,8 @@ int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent);
 // caller must not free the result after use.
 EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key);
 
+int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int suppress_error);
+
 // RSA-PSS functions.
 
 // x509_rsa_pss_to_ctx configures |ctx| for an RSA-PSS operation based on