grpc 1.63.0 → 1.64.0

data/third_party/boringssl-with-bazel/src/ssl/ssl_lib.cc

@@ -279,17 +279,21 @@ ssl_open_record_t ssl_open_app_data(SSL *ssl, Span<uint8_t> *out,
   return ret;
 }
 
-static bool cbb_add_hex(CBB *cbb, Span<const uint8_t> in) {
-  static const char hextable[] = "0123456789abcdef";
-  uint8_t *out;
+static uint8_t hex_char_consttime(uint8_t b) {
+  declassify_assert(b < 16);
+  return constant_time_select_8(constant_time_lt_8(b, 10), b + '0',
+                                b - 10 + 'a');
+}
 
-  if (!CBB_add_space(cbb, &out, in.size() * 2)) {
+static bool cbb_add_hex_consttime(CBB *cbb, Span<const uint8_t> in) {
+  uint8_t *out;
+if (!CBB_add_space(cbb, &out, in.size() * 2)) {
     return false;
   }
 
   for (uint8_t b : in) {
-    *(out++) = (uint8_t)hextable[b >> 4];
-    *(out++) = (uint8_t)hextable[b & 0xf];
+    *(out++) = hex_char_consttime(b >> 4);
+    *(out++) = hex_char_consttime(b & 0xf);
   }
 
   return true;
@@ -308,9 +312,11 @@ bool ssl_log_secret(const SSL *ssl, const char *label,
       !CBB_add_bytes(cbb.get(), reinterpret_cast<const uint8_t *>(label),
                      strlen(label)) ||
       !CBB_add_u8(cbb.get(), ' ') ||
-      !cbb_add_hex(cbb.get(), ssl->s3->client_random) ||
+      !cbb_add_hex_consttime(cbb.get(), ssl->s3->client_random) ||
       !CBB_add_u8(cbb.get(), ' ') ||
-      !cbb_add_hex(cbb.get(), secret) ||
+      // Convert to hex in constant time to avoid leaking |secret|. If the
+      // callback discards the data, we should not introduce side channels.
+      !cbb_add_hex_consttime(cbb.get(), secret) ||
       !CBB_add_u8(cbb.get(), 0 /* NUL */) ||
       !CBBFinishArray(cbb.get(), &line)) {
     return false;
@@ -523,7 +529,8 @@ static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) {
 }
 
 ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)
-    : method(ssl_method->method),
+    : RefCounted(CheckSubClass()),
+      method(ssl_method->method),
       x509_method(ssl_method->x509_method),
       retain_only_sha256_of_client_certs(false),
       quiet_shutdown(false),
@@ -569,9 +576,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
   ret->cert = MakeUnique<CERT>(method->x509_method);
   ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
   ret->client_CA.reset(sk_CRYPTO_BUFFER_new_null());
-  if (ret->cert == nullptr ||
-      ret->sessions == nullptr ||
-      ret->client_CA == nullptr ||
+  if (ret->cert == nullptr ||       //
+      !ret->cert->is_valid() ||     //
+      ret->sessions == nullptr ||   //
+      ret->client_CA == nullptr ||  //
       !ret->x509_method->ssl_ctx_new(ret.get())) {
     return nullptr;
   }
@@ -589,18 +597,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {
 }
 
 int SSL_CTX_up_ref(SSL_CTX *ctx) {
-  CRYPTO_refcount_inc(&ctx->references);
+  ctx->UpRefInternal();
   return 1;
 }
 
 void SSL_CTX_free(SSL_CTX *ctx) {
-  if (ctx == NULL ||
-      !CRYPTO_refcount_dec_and_test_zero(&ctx->references)) {
-    return;
+  if (ctx != nullptr) {
+    ctx->DecRefInternal();
   }
-
-  ctx->~ssl_ctx_st();
-  OPENSSL_free(ctx);
 }
 
 ssl_st::ssl_st(SSL_CTX *ctx_arg)
@@ -708,7 +712,9 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
       jdk11_workaround(false),
       quic_use_legacy_codepoint(false),
       permute_extensions(false),
-      alps_use_new_codepoint(false) {
+      alps_use_new_codepoint(false),
+      check_client_certificate_type(true),
+      check_ecdsa_curve(true) {
   assert(ssl);
 }
 
@@ -1569,13 +1575,6 @@ const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) {
   return ssl->config->cert->sid_ctx;
 }
 
-void SSL_certs_clear(SSL *ssl) {
-  if (!ssl->config) {
-    return;
-  }
-  ssl_cert_clear_certs(ssl->config->cert.get());
-}
-
 int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); }
 
 int SSL_get_rfd(const SSL *ssl) {
@@ -1734,17 +1733,36 @@ int SSL_has_pending(const SSL *ssl) {
   return SSL_pending(ssl) != 0 || !ssl->s3->read_buffer.empty();
 }
 
+static bool has_cert_and_key(const SSL_CREDENTIAL *cred) {
+  // TODO(davidben): If |cred->key_method| is set, that should be fine too.
+  if (cred->privkey == nullptr) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
+    return false;
+  }
+
+  if (cred->chain == nullptr ||
+      sk_CRYPTO_BUFFER_value(cred->chain.get(), 0) == nullptr) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
+    return false;
+  }
+
+  return true;
+}
+
 int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
-  return ssl_cert_check_private_key(ctx->cert.get(),
-                                    ctx->cert->privatekey.get());
+  // There is no need to actually check consistency because inconsistent values
+  // can never be configured.
+  return has_cert_and_key(ctx->cert->default_credential.get());
 }
 
 int SSL_check_private_key(const SSL *ssl) {
   if (!ssl->config) {
     return 0;
   }
-  return ssl_cert_check_private_key(ssl->config->cert.get(),
-                                    ssl->config->cert->privatekey.get());
+
+  // There is no need to actually check consistency because inconsistent values
+  // can never be configured.
+  return has_cert_and_key(ssl->config->cert->default_credential.get());
 }
 
 long SSL_get_default_timeout(const SSL *ssl) {
@@ -2519,21 +2537,13 @@ size_t SSL_get0_peer_delegation_algorithms(const SSL *ssl,
 EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {
   if (!ssl->config) {
     assert(ssl->config);
-    return NULL;
-  }
-  if (ssl->config->cert != NULL) {
-    return ssl->config->cert->privatekey.get();
+    return nullptr;
   }
-
-  return NULL;
+  return ssl->config->cert->default_credential->privkey.get();
 }
 
 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) {
-  if (ctx->cert != NULL) {
-    return ctx->cert->privatekey.get();
-  }
-
-  return NULL;
+  return ctx->cert->default_credential->privkey.get();
 }
 
 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {
@@ -2670,12 +2680,8 @@ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) {
 
 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
                          CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {
-  int index;
-  if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl, &index, argl, argp,
-                               free_func)) {
-    return -1;
-  }
-  return index;
+  return CRYPTO_get_ex_new_index_ex(&g_ex_data_class_ssl, argl, argp,
+                                    free_func);
 }
 
 int SSL_set_ex_data(SSL *ssl, int idx, void *data) {
@@ -2689,12 +2695,8 @@ void *SSL_get_ex_data(const SSL *ssl, int idx) {
 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
                              CRYPTO_EX_dup *dup_unused,
                              CRYPTO_EX_free *free_func) {
-  int index;
-  if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl_ctx, &index, argl, argp,
-                               free_func)) {
-    return -1;
-  }
-  return index;
+  return CRYPTO_get_ex_new_index_ex(&g_ex_data_class_ssl_ctx, argl, argp,
+                                 free_func);
 }
 
 int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data) {
@@ -3048,6 +3050,20 @@ void SSL_set_jdk11_workaround(SSL *ssl, int enable) {
   ssl->config->jdk11_workaround = !!enable;
 }
 
+void SSL_set_check_client_certificate_type(SSL *ssl, int enable) {
+  if (!ssl->config) {
+    return;
+  }
+  ssl->config->check_client_certificate_type = !!enable;
+}
+
+void SSL_set_check_ecdsa_curve(SSL *ssl, int enable) {
+  if (!ssl->config) {
+    return;
+  }
+  ssl->config->check_ecdsa_curve = !!enable;
+}
+
 void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy) {
   if (!ssl->config) {
     return;

data/third_party/boringssl-with-bazel/src/ssl/ssl_privkey.cc

@@ -59,6 +59,8 @@
 #include <assert.h>
 #include <limits.h>
 
+#include <algorithm>
+
 #include <openssl/ec.h>
 #include <openssl/ec_key.h>
 #include <openssl/err.h>
@@ -77,23 +79,6 @@ bool ssl_is_key_type_supported(int key_type) {
          key_type == EVP_PKEY_ED25519;
 }
 
-static bool ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) {
-  if (!ssl_is_key_type_supported(EVP_PKEY_id(pkey))) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
-    return false;
-  }
-
-  if (cert->chain != nullptr &&
-      sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) != nullptr &&
-      // Sanity-check that the private key and the certificate match.
-      !ssl_cert_check_private_key(cert, pkey)) {
-    return false;
-  }
-
-  cert->privatekey = UpRef(pkey);
-  return true;
-}
-
 typedef struct {
   uint16_t sigalg;
   int pkey_type;
@@ -134,21 +119,21 @@ static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {
   return NULL;
 }
 
-bool ssl_has_private_key(const SSL_HANDSHAKE *hs) {
-  if (hs->config->cert->privatekey != nullptr ||
-      hs->config->cert->key_method != nullptr ||
-      ssl_signing_with_dc(hs)) {
-    return true;
+bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
+                                 uint16_t sigalg) {
+  const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
+  if (alg == NULL || EVP_PKEY_id(pkey) != alg->pkey_type) {
+    return false;
   }
 
-  return false;
-}
-
-static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
-                                    uint16_t sigalg) {
-  const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
-  if (alg == NULL ||
-      EVP_PKEY_id(pkey) != alg->pkey_type) {
+  // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
+  // emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
+  // hash in TLS. Reasonable RSA key sizes are large enough for the largest
+  // defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for
+  // SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the
+  // size so that we can fall back to another algorithm in that case.
+  if (alg->is_rsa_pss &&
+      (size_t)EVP_PKEY_size(pkey) < 2 * EVP_MD_size(alg->digest_func()) + 2) {
     return false;
   }
 
@@ -186,7 +171,7 @@ static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
 
 static bool setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
                       uint16_t sigalg, bool is_verify) {
-  if (!pkey_supports_algorithm(ssl, pkey, sigalg)) {
+  if (!ssl_pkey_supports_algorithm(ssl, pkey, sigalg)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
     return false;
   }
@@ -216,12 +201,13 @@ enum ssl_private_key_result_t ssl_private_key_sign(
     SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,
     uint16_t sigalg, Span<const uint8_t> in) {
   SSL *const ssl = hs->ssl;
+  const SSL_CREDENTIAL *const cred = hs->credential.get();
   SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
   Array<uint8_t> spki;
   if (hints) {
     ScopedCBB spki_cbb;
     if (!CBB_init(spki_cbb.get(), 64) ||
-        !EVP_marshal_public_key(spki_cbb.get(), hs->local_pubkey.get()) ||
+        !EVP_marshal_public_key(spki_cbb.get(), cred->pubkey.get()) ||
         !CBBFinishArray(spki_cbb.get(), &spki)) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
       return ssl_private_key_failure;
@@ -241,13 +227,9 @@ enum ssl_private_key_result_t ssl_private_key_sign(
     return ssl_private_key_success;
   }
 
-  const SSL_PRIVATE_KEY_METHOD *key_method = hs->config->cert->key_method;
-  EVP_PKEY *privatekey = hs->config->cert->privatekey.get();
+  const SSL_PRIVATE_KEY_METHOD *key_method = cred->key_method;
+  EVP_PKEY *privkey = cred->privkey.get();
   assert(!hs->can_release_private_key);
-  if (ssl_signing_with_dc(hs)) {
-    key_method = hs->config->cert->dc_key_method;
-    privatekey = hs->config->cert->dc_privatekey.get();
-  }
 
   if (key_method != NULL) {
     enum ssl_private_key_result_t ret;
@@ -267,7 +249,7 @@ enum ssl_private_key_result_t ssl_private_key_sign(
   } else {
     *out_len = max_out;
     ScopedEVP_MD_CTX ctx;
-    if (!setup_ctx(ssl, ctx.get(), privatekey, sigalg, false /* sign */) ||
+    if (!setup_ctx(ssl, ctx.get(), privkey, sigalg, false /* sign */) ||
         !EVP_DigestSign(ctx.get(), out, out_len, in.data(), in.size())) {
       return ssl_private_key_failure;
     }
@@ -307,14 +289,15 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
                                                       size_t max_out,
                                                       Span<const uint8_t> in) {
   SSL *const ssl = hs->ssl;
+  const SSL_CREDENTIAL *const cred = hs->credential.get();
   assert(!hs->can_release_private_key);
-  if (hs->config->cert->key_method != NULL) {
+  if (cred->key_method != NULL) {
     enum ssl_private_key_result_t ret;
     if (hs->pending_private_key_op) {
-      ret = hs->config->cert->key_method->complete(ssl, out, out_len, max_out);
+      ret = cred->key_method->complete(ssl, out, out_len, max_out);
     } else {
-      ret = hs->config->cert->key_method->decrypt(ssl, out, out_len, max_out,
-                                                  in.data(), in.size());
+      ret = cred->key_method->decrypt(ssl, out, out_len, max_out, in.data(),
+                                      in.size());
     }
     if (ret == ssl_private_key_failure) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);
@@ -323,7 +306,7 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
     return ret;
   }
 
-  RSA *rsa = EVP_PKEY_get0_RSA(hs->config->cert->privatekey.get());
+  RSA *rsa = EVP_PKEY_get0_RSA(cred->privkey.get());
   if (rsa == NULL) {
     // Decrypt operations are only supported for RSA keys.
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -339,28 +322,6 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
   return ssl_private_key_success;
 }
 
-bool ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,
-                                                  uint16_t sigalg) {
-  SSL *const ssl = hs->ssl;
-  if (!pkey_supports_algorithm(ssl, hs->local_pubkey.get(), sigalg)) {
-    return false;
-  }
-
-  // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
-  // emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
-  // hash in TLS. Reasonable RSA key sizes are large enough for the largest
-  // defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for
-  // SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the
-  // size so that we can fall back to another algorithm in that case.
-  const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
-  if (alg->is_rsa_pss && (size_t)EVP_PKEY_size(hs->local_pubkey.get()) <
-                             2 * EVP_MD_size(alg->digest_func()) + 2) {
-    return false;
-  }
-
-  return true;
-}
-
 BSSL_NAMESPACE_END
 
 using namespace bssl;
@@ -378,7 +339,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) {
     return 0;
   }
 
-  return ssl_set_pkey(ssl->config->cert.get(), pkey.get());
+  return SSL_use_PrivateKey(ssl, pkey.get());
 }
 
 int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {
@@ -397,7 +358,8 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) {
     return 0;
   }
 
-  return ssl_set_pkey(ssl->config->cert.get(), pkey);
+  return SSL_CREDENTIAL_set1_private_key(
+      ssl->config->cert->default_credential.get(), pkey);
 }
 
 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der,
@@ -430,7 +392,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) {
     return 0;
   }
 
-  return ssl_set_pkey(ctx->cert.get(), pkey.get());
+  return SSL_CTX_use_PrivateKey(ctx, pkey.get());
 }
 
 int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der,
@@ -450,7 +412,8 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) {
     return 0;
   }
 
-  return ssl_set_pkey(ctx->cert.get(), pkey);
+  return SSL_CREDENTIAL_set1_private_key(ctx->cert->default_credential.get(),
+                                         pkey);
 }
 
 int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der,
@@ -475,12 +438,14 @@ void SSL_set_private_key_method(SSL *ssl,
   if (!ssl->config) {
     return;
   }
-  ssl->config->cert->key_method = key_method;
+  BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method(
+      ssl->config->cert->default_credential.get(), key_method));
 }
 
 void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
                                     const SSL_PRIVATE_KEY_METHOD *key_method) {
-  ctx->cert->key_method = key_method;
+  BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method(
+      ctx->cert->default_credential.get(), key_method));
 }
 
 static constexpr size_t kMaxSignatureAlgorithmNameLen = 23;
@@ -632,9 +597,28 @@ static bool set_sigalg_prefs(Array<uint16_t> *out, Span<const uint16_t> prefs) {
   return true;
 }
 
+int SSL_CREDENTIAL_set1_signing_algorithm_prefs(SSL_CREDENTIAL *cred,
+                                                const uint16_t *prefs,
+                                                size_t num_prefs) {
+  if (!cred->UsesPrivateKey()) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
+
+  // Delegated credentials are constrained to a single algorithm, so there is no
+  // need to configure this.
+  if (cred->type == SSLCredentialType::kDelegated) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
+
+  return set_sigalg_prefs(&cred->sigalgs, MakeConstSpan(prefs, num_prefs));
+}
+
 int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
                                         size_t num_prefs) {
-  return set_sigalg_prefs(&ctx->cert->sigalgs, MakeConstSpan(prefs, num_prefs));
+  return SSL_CREDENTIAL_set1_signing_algorithm_prefs(
+      ctx->cert->default_credential.get(), prefs, num_prefs);
 }
 
 int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
@@ -642,8 +626,8 @@ int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
   if (!ssl->config) {
     return 0;
   }
-  return set_sigalg_prefs(&ssl->config->cert->sigalgs,
-                          MakeConstSpan(prefs, num_prefs));
+  return SSL_CREDENTIAL_set1_signing_algorithm_prefs(
+      ssl->config->cert->default_credential.get(), prefs, num_prefs);
 }
 
 static constexpr struct {

data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc

@@ -935,7 +935,8 @@ BSSL_NAMESPACE_END
 using namespace bssl;
 
 ssl_session_st::ssl_session_st(const SSL_X509_METHOD *method)
-    : x509_method(method),
+    : RefCounted(CheckSubClass()),
+      x509_method(method),
       extended_master_secret(false),
       peer_sha256_valid(false),
       not_resumable(false),
@@ -957,18 +958,14 @@ SSL_SESSION *SSL_SESSION_new(const SSL_CTX *ctx) {
 }
 
 int SSL_SESSION_up_ref(SSL_SESSION *session) {
-  CRYPTO_refcount_inc(&session->references);
+  session->UpRefInternal();
   return 1;
 }
 
 void SSL_SESSION_free(SSL_SESSION *session) {
-  if (session == NULL ||
-      !CRYPTO_refcount_dec_and_test_zero(&session->references)) {
-    return;
+  if (session != nullptr) {
+    session->DecRefInternal();
   }
-
-  session->~ssl_session_st();
-  OPENSSL_free(session);
 }
 
 const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session,
@@ -1206,12 +1203,7 @@ int SSL_SESSION_get_ex_new_index(long argl, void *argp,
                                  CRYPTO_EX_unused *unused,
                                  CRYPTO_EX_dup *dup_unused,
                                  CRYPTO_EX_free *free_func) {
-  int index;
-  if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
-                               free_func)) {
-    return -1;
-  }
-  return index;
+  return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);
 }
 
 int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg) {