You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by so...@apache.org on 2017/02/09 22:17:52 UTC
[trafficserver] branch 6.2.x updated (0b1f28b -> a858aad)
This is an automated email from the ASF dual-hosted git repository.
sorber pushed a change to branch 6.2.x
in repository https://git-dual.apache.org/repos/asf/trafficserver.git.
from 0b1f28b Fix Assertion failure in the regex_revalidate plugin.
new 8f03bec TS-4435: Changes to enable ATS to compile against openssl-1.1 beta.
new 0695bf5 TS-5059: SSL_set_rbio() renamed SSL_set0_rbio()
new 6a0b279 TS-5059: OpenSSL 1.1 EVP_MD_CTX and HMAC_CTX
new a858aad SSL_CTX_remove_session() and external cache
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Summary of changes:
build/crypto.m4 | 38 +++++++++-
configure.ac | 5 +-
iocore/net/SSLDynlock.cc | 3 +
iocore/net/SSLInternal.cc | 4 +-
iocore/net/SSLNetVConnection.cc | 6 +-
iocore/net/SSLUtils.cc | 121 +++++++++++++++++++++++++++-----
lib/ts/HashMD5.cc | 21 ++++--
lib/ts/HashMD5.h | 2 +-
lib/ts/ink_config.h.in | 1 +
plugins/experimental/s3_auth/s3_auth.cc | 50 ++++++++-----
10 files changed, 199 insertions(+), 52 deletions(-)
--
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>'].
[trafficserver] 03/04: TS-5059: OpenSSL 1.1 EVP_MD_CTX and HMAC_CTX
Posted by so...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sorber pushed a commit to branch 6.2.x
in repository https://git-dual.apache.org/repos/asf/trafficserver.git
commit 6a0b2790811669a9841f0fa5239c3da6e12363b9
Author: Jack Bates <ja...@nottheoilrig.com>
AuthorDate: Mon Jan 2 17:16:33 2017 -0700
TS-5059: OpenSSL 1.1 EVP_MD_CTX and HMAC_CTX
EVP_MD_CTX and HMAC_CTX were made opaque in OpenSSL 1.1 [1],
so allocating them on the stack is no longer supported.
Also EVP_MD_CTX_cleanup() was removed. EVP_MD_CTX_reset() should be
called instead, to reinitialise an already created structure.
[1] https://www.openssl.org/news/changelog#x4
(cherry picked from commit 92d004cfd6d8e7069ce0a959e5f1327789090261)
---
lib/ts/HashMD5.cc | 11 ++++++--
plugins/experimental/s3_auth/s3_auth.cc | 50 ++++++++++++++++++++-------------
2 files changed, 39 insertions(+), 22 deletions(-)
diff --git a/lib/ts/HashMD5.cc b/lib/ts/HashMD5.cc
index c457b71..d6546d3 100644
--- a/lib/ts/HashMD5.cc
+++ b/lib/ts/HashMD5.cc
@@ -20,6 +20,7 @@
*/
#include "ts/HashMD5.h"
+#include "ts/ink_assert.h"
ATSHashMD5::ATSHashMD5(void)
{
@@ -65,9 +66,13 @@ ATSHashMD5::size(void) const
void
ATSHashMD5::clear(void)
{
- EVP_MD_CTX_destroy(ctx);
- ctx = EVP_MD_CTX_create();
- EVP_DigestInit(ctx, EVP_md5());
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_MD_CTX_reset(ctx) EVP_MD_CTX_cleanup((ctx))
+#endif
+ int ret = EVP_MD_CTX_reset(ctx);
+ ink_assert(ret == 1);
+ ret = EVP_DigestInit_ex(ctx, EVP_md5(), nullptr);
+ ink_assert(ret == 1);
md_len = 0;
finalized = false;
}
diff --git a/plugins/experimental/s3_auth/s3_auth.cc b/plugins/experimental/s3_auth/s3_auth.cc
index cd17a9d..f9697c5 100644
--- a/plugins/experimental/s3_auth/s3_auth.cc
+++ b/plugins/experimental/s3_auth/s3_auth.cc
@@ -410,37 +410,49 @@ S3Request::authorize(S3Config *s3)
TSDebug(PLUGIN_NAME, "%s", left);
}
- // Produce the SHA1 MAC digest
- HMAC_CTX ctx;
+// Produce the SHA1 MAC digest
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ HMAC_CTX ctx[1];
+#else
+ HMAC_CTX *ctx;
+#endif
unsigned int hmac_len;
size_t hmac_b64_len;
unsigned char hmac[SHA_DIGEST_LENGTH];
char hmac_b64[SHA_DIGEST_LENGTH * 2];
- HMAC_CTX_init(&ctx);
- HMAC_Init_ex(&ctx, s3->secret(), s3->secret_len(), EVP_sha1(), NULL);
- HMAC_Update(&ctx, (unsigned char *)method, method_len);
- HMAC_Update(&ctx, (unsigned char *)"\n", 1);
- HMAC_Update(&ctx, (unsigned char *)con_md5, con_md5_len);
- HMAC_Update(&ctx, (unsigned char *)"\n", 1);
- HMAC_Update(&ctx, (unsigned char *)con_type, con_type_len);
- HMAC_Update(&ctx, (unsigned char *)"\n", 1);
- HMAC_Update(&ctx, (unsigned char *)date, date_len);
- HMAC_Update(&ctx, (unsigned char *)"\n/", 2);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ HMAC_CTX_init(ctx);
+#else
+ ctx = HMAC_CTX_new();
+#endif
+ HMAC_Init_ex(ctx, s3->secret(), s3->secret_len(), EVP_sha1(), nullptr);
+ HMAC_Update(ctx, (unsigned char *)method, method_len);
+ HMAC_Update(ctx, (unsigned char *)"\n", 1);
+ HMAC_Update(ctx, (unsigned char *)con_md5, con_md5_len);
+ HMAC_Update(ctx, (unsigned char *)"\n", 1);
+ HMAC_Update(ctx, (unsigned char *)con_type, con_type_len);
+ HMAC_Update(ctx, (unsigned char *)"\n", 1);
+ HMAC_Update(ctx, (unsigned char *)date, date_len);
+ HMAC_Update(ctx, (unsigned char *)"\n/", 2);
if (host && host_endp) {
- HMAC_Update(&ctx, (unsigned char *)host, host_endp - host);
- HMAC_Update(&ctx, (unsigned char *)"/", 1);
+ HMAC_Update(ctx, (unsigned char *)host, host_endp - host);
+ HMAC_Update(ctx, (unsigned char *)"/", 1);
}
- HMAC_Update(&ctx, (unsigned char *)path, path_len);
+ HMAC_Update(ctx, (unsigned char *)path, path_len);
if (param) {
- HMAC_Update(&ctx, (unsigned char *)";", 1); // TSUrlHttpParamsGet() does not include ';'
- HMAC_Update(&ctx, (unsigned char *)param, param_len);
+ HMAC_Update(ctx, (unsigned char *)";", 1); // TSUrlHttpParamsGet() does not include ';'
+ HMAC_Update(ctx, (unsigned char *)param, param_len);
}
- HMAC_Final(&ctx, hmac, &hmac_len);
- HMAC_CTX_cleanup(&ctx);
+ HMAC_Final(ctx, hmac, &hmac_len);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ HMAC_CTX_cleanup(ctx);
+#else
+ HMAC_CTX_free(ctx);
+#endif
// Do the Base64 encoding and set the Authorization header.
if (TS_SUCCESS == TSBase64Encode((const char *)hmac, hmac_len, hmac_b64, sizeof(hmac_b64) - 1, &hmac_b64_len)) {
--
To stop receiving notification emails like this one, please contact
"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>.
[trafficserver] 01/04: TS-4435: Changes to enable ATS to compile
against openssl-1.1 beta.
Posted by so...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sorber pushed a commit to branch 6.2.x
in repository https://git-dual.apache.org/repos/asf/trafficserver.git
commit 8f03bec21ae09e3c49f037aecfbf0685ff2fe46c
Author: shinrich <sh...@localhost.localdomain>
AuthorDate: Wed May 11 19:00:01 2016 -0500
TS-4435: Changes to enable ATS to compile against openssl-1.1 beta.
(cherry picked from commit 26e1aefe9b58118d3e278761720fbdae9ef43ce3)
---
build/crypto.m4 | 34 ++++++++++++++
configure.ac | 3 ++
iocore/net/SSLDynlock.cc | 3 ++
iocore/net/SSLUtils.cc | 119 +++++++++++++++++++++++++++++++++++++++++------
lib/ts/HashMD5.cc | 16 ++++---
lib/ts/HashMD5.h | 2 +-
lib/ts/ink_config.h.in | 1 +
7 files changed, 155 insertions(+), 23 deletions(-)
diff --git a/build/crypto.m4 b/build/crypto.m4
index 9559f45..2f3bb0d 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -196,3 +196,37 @@ AC_DEFUN([TS_CHECK_CRYPTO_SET_RBIO], [
TS_ARG_ENABLE_VAR([use], [set-rbio])
AC_SUBST(use_set_rbio)
])
+
+AC_DEFUN([TS_CHECK_CRYPTO_DH_GET_2048_256], [
+ _dh_saved_LIBS=$LIBS
+ enable_dh_get_2048_256=yes
+
+ TS_ADDTO(LIBS, [$OPENSSL_LIBS])
+ AC_MSG_CHECKING([for DH_get_2048_256])
+ AC_LINK_IFELSE(
+ [
+ AC_LANG_PROGRAM([[
+#if HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#endif
+#if HAVE_OPENSSL_TLS1_H
+#include <openssl/tls1.h>
+#endif
+ ]],
+ [[DH_get_2048_256();]])
+ ],
+ [
+ AC_MSG_RESULT([yes])
+ ],
+ [
+ AC_MSG_RESULT([no])
+ enable_dh_get_2048_256=no
+ ])
+
+ LIBS=$_dh_saved_LIBS
+
+ AC_MSG_CHECKING(whether to enable DH_get_2048_256)
+ AC_MSG_RESULT([$enable_dh_get_2048_256])
+ TS_ARG_ENABLE_VAR([use], [dh_get_2048_256])
+ AC_SUBST(use_dh_get_2048_256)
+])
diff --git a/configure.ac b/configure.ac
index e692795..aca1094 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1151,6 +1151,9 @@ TS_CHECK_CRYPTO_CERT_CB
# Check for SSL_set_rbio call
TS_CHECK_CRYPTO_SET_RBIO
+# Check for DH_get_2048_256
+TS_CHECK_CRYPTO_DH_GET_2048_256
+
#
# Check for zlib presence and usability
TS_CHECK_ZLIB
diff --git a/iocore/net/SSLDynlock.cc b/iocore/net/SSLDynlock.cc
index 75d514b..c4ddc3d 100644
--- a/iocore/net/SSLDynlock.cc
+++ b/iocore/net/SSLDynlock.cc
@@ -43,6 +43,8 @@ ssl_dyn_create_callback(const char *file, int line)
return value;
}
+// The locking callback goes away with openssl 1.1 and CRYPTO_LOCK is on longer defined
+#ifdef CRYPTO_LOCK
void
ssl_dyn_lock_callback(int mode, struct CRYPTO_dynlock_value *value, const char *file, int line)
{
@@ -57,6 +59,7 @@ ssl_dyn_lock_callback(int mode, struct CRYPTO_dynlock_value *value, const char *
ink_release_assert(0);
}
}
+#endif
void
ssl_dyn_destroy_callback(struct CRYPTO_dynlock_value *value, const char *file, int line)
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index dff5d9c..a8d62e8 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -131,12 +131,18 @@ static InkHashTable *ssl_cipher_name_table = NULL;
* may use pthreads and openssl without confusing us here. (TS-2271).
*/
+// Only define this function if the version of openssl really has a
+// CRYPTO_THREADID_set_callback function. openssl 1.1.0 defines it to 0
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
static void
SSL_pthreads_thread_id(CRYPTO_THREADID *id)
{
CRYPTO_THREADID_set_numeric(id, (unsigned long)pthread_self());
}
+#endif
+// The locking callback goes away with openssl 1.1 and CRYPTO_LOCK is on longer defined
+#ifdef CRYPTO_LOCK
static void
SSL_locking_callback(int mode, int type, const char *file, int line)
{
@@ -159,6 +165,7 @@ SSL_locking_callback(int mode, int type, const char *file, int line)
ink_assert(0);
}
}
+#endif
#ifndef SSL_CTX_add0_chain_cert
static bool
@@ -195,7 +202,11 @@ ssl_session_timed_out(SSL_SESSION *session)
static void ssl_rm_cached_session(SSL_CTX *ctx, SSL_SESSION *sess);
static SSL_SESSION *
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+ssl_get_cached_session(SSL *ssl, const unsigned char *id, int len, int *copy)
+#else
ssl_get_cached_session(SSL *ssl, unsigned char *id, int len, int *copy)
+#endif
{
SSLSessionID sid(id, len);
@@ -428,9 +439,10 @@ done:
#endif
#endif /* TS_USE_TLS_SNI */
+#if TS_USE_GET_DH_2048_256 == 0
/* Build 2048-bit MODP Group with 256-bit Prime Order Subgroup from RFC 5114 */
static DH *
-get_dh2048()
+DH_get_2048_256()
{
static const unsigned char dh2048_p[] = {
0x87, 0xA8, 0xE6, 0x1D, 0xB4, 0xB6, 0x66, 0x3C, 0xFF, 0xBB, 0xD1, 0x9C, 0x65, 0x19, 0x59, 0x99, 0x8C, 0xEE, 0xF6, 0x08,
@@ -472,6 +484,7 @@ get_dh2048()
}
return (dh);
}
+#endif
static SSL_CTX *
ssl_context_enable_dhe(const char *dhparams_file, SSL_CTX *ctx)
@@ -482,7 +495,7 @@ ssl_context_enable_dhe(const char *dhparams_file, SSL_CTX *ctx)
scoped_BIO bio(BIO_new_file(dhparams_file, "r"));
server_dh = PEM_read_bio_DHparams(bio.get(), NULL, NULL, NULL);
} else {
- server_dh = get_dh2048();
+ server_dh = DH_get_2048_256();
}
if (!server_dh) {
@@ -788,21 +801,68 @@ SSLRecRawStatSyncCount(const char *name, RecDataT data_type, RecData *data, RecR
SSL_SET_COUNT_DYN_STAT(ssl_user_agent_session_timeout_stat, timeouts);
return RecRawStatSyncCount(name, data_type, data, rsb, id);
}
-
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+void *
+ssl_malloc(size_t size, const char * /*filename */, int /*lineno*/)
+#else
void *
ssl_malloc(size_t size)
+#endif
{
- return ats_track_malloc(size, &ssl_memory_allocated);
+ return ats_malloc(size);
}
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+void *
+ssl_realloc(void *ptr, size_t size, const char * /*filename*/, int /*lineno*/)
+#else
void *
ssl_realloc(void *ptr, size_t size)
+#endif
{
- return ats_track_realloc(ptr, size, &ssl_memory_allocated, &ssl_memory_freed);
+ return ats_realloc(ptr, size);
}
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+void
+ssl_free(void *ptr, const char * /*filename*/, int /*lineno*/)
+#else
void
ssl_free(void *ptr)
+#endif
+{
+ ats_free(ptr);
+}
+
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+void *
+ssl_track_malloc(size_t size, const char * /*filename*/, int /*lineno*/)
+#else
+void *
+ssl_track_malloc(size_t size)
+#endif
+{
+ return ats_track_malloc(size, &ssl_memory_allocated);
+}
+
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+void *
+ssl_track_realloc(void *ptr, size_t size, const char * /*filename*/, int /*lineno*/)
+#else
+void *
+ssl_track_realloc(void *ptr, size_t size)
+#endif
+{
+ return ats_track_realloc(ptr, size, &ssl_memory_allocated, &ssl_memory_freed);
+}
+
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
+void
+ssl_track_free(void *ptr, const char * /*filename*/, int /*lineno*/)
+#else
+void
+ssl_track_free(void *ptr)
+#endif
{
ats_track_free(ptr, &ssl_memory_freed);
}
@@ -814,9 +874,9 @@ SSLInitializeLibrary()
// BoringSSL does not have the memory functions
#ifndef OPENSSL_IS_BORINGSSL
if (res_track_memory >= 2) {
- CRYPTO_set_mem_functions(ssl_malloc, ssl_realloc, ssl_free);
+ CRYPTO_set_mem_functions(ssl_track_malloc, ssl_track_realloc, ssl_track_free);
} else {
- CRYPTO_set_mem_functions(ats_malloc, ats_realloc, ats_free);
+ CRYPTO_set_mem_functions(ssl_malloc, ssl_realloc, ssl_free);
}
#endif
@@ -1038,30 +1098,42 @@ increment_ssl_client_error(unsigned long err)
// (we ignore FUNCTION with the prejudice that we don't care what function
// the error came from, hope that's ok?)
switch (ERR_GET_REASON(err)) {
+#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED
case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_expired_cert_stat);
break;
+#endif
+#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED
case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_revoked_cert_stat);
break;
+#endif
+#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN
case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_unknown_cert_stat);
break;
+#endif
case SSL_R_CERTIFICATE_VERIFY_FAILED:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_cert_verify_failed_stat);
break;
+#ifdef SSL_R_SSLV3_ALERT_BAD_CERTIFICATE
case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_bad_cert_stat);
break;
+#endif
+#ifdef SSL_R_TLSV1_ALERT_DECRYPTION_FAILED
case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_decryption_failed_stat);
break;
+#endif
case SSL_R_WRONG_VERSION_NUMBER:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_wrong_version_stat);
break;
+#ifdef SSL_R_TLSV1_ALERT_UNKNOWN_CA
case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_unknown_ca_stat);
break;
+#endif
default:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_other_errors_stat);
return false;
@@ -1085,30 +1157,42 @@ increment_ssl_server_error(unsigned long err)
// (we ignore FUNCTION with the prejudice that we don't care what function
// the error came from, hope that's ok?)
switch (ERR_GET_REASON(err)) {
+#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED
case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_expired_cert_stat);
break;
+#endif
+#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED
case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_revoked_cert_stat);
break;
+#endif
+#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN
case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_unknown_cert_stat);
break;
+#endif
case SSL_R_CERTIFICATE_VERIFY_FAILED:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_cert_verify_failed_stat);
break;
+#ifdef SSL_R_SSLV3_ALERT_BAD_CERTIFICATE
case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_bad_cert_stat);
break;
+#endif
+#ifdef SSL_R_TLSV1_ALERT_DECRYPTION_FAILED
case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_decryption_failed_stat);
break;
+#endif
case SSL_R_WRONG_VERSION_NUMBER:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_wrong_version_stat);
break;
+#ifdef SSL_R_TLSV1_ALERT_UNKNOWN_CA
case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_unknown_ca_stat);
break;
+#endif
default:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_other_errors_stat);
return false;
@@ -1288,8 +1372,8 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config &sslMu
{
int server_verify_client;
ats_scoped_str completeServerCertPath;
- SSL_CTX *ctx = SSLDefaultServerContext();
- EVP_MD_CTX digest;
+ SSL_CTX *ctx = SSLDefaultServerContext();
+ EVP_MD_CTX *digest = EVP_MD_CTX_create();
STACK_OF(X509_NAME) *ca_list = NULL;
unsigned char hash_buf[EVP_MAX_MD_SIZE];
unsigned int hash_len = 0;
@@ -1522,9 +1606,9 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config &sslMu
SSL_CTX_set_client_CA_list(ctx, ca_list);
}
}
- EVP_MD_CTX_init(&digest);
+ EVP_MD_CTX_init(digest);
- if (EVP_DigestInit_ex(&digest, evp_md_func, NULL) == 0) {
+ if (EVP_DigestInit_ex(digest, evp_md_func, NULL) == 0) {
SSLError("EVP_DigestInit_ex failed");
goto fail;
}
@@ -1532,7 +1616,7 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config &sslMu
Debug("ssl", "Using '%s' in hash for session id context", sslMultCertSettings.cert.get());
if (NULL != setting_cert) {
- if (EVP_DigestUpdate(&digest, sslMultCertSettings.cert, strlen(setting_cert)) == 0) {
+ if (EVP_DigestUpdate(digest, sslMultCertSettings.cert, strlen(setting_cert)) == 0) {
SSLError("EVP_DigestUpdate failed");
goto fail;
}
@@ -1544,19 +1628,18 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config &sslMu
for (size_t i = 0; i < num_certs; i++) {
X509_NAME *name = sk_X509_NAME_value(ca_list, i);
if (X509_NAME_digest(name, evp_md_func, hash_buf /* borrow our final hash buffer. */, &hash_len) == 0 ||
- EVP_DigestUpdate(&digest, hash_buf, hash_len) == 0) {
+ EVP_DigestUpdate(digest, hash_buf, hash_len) == 0) {
SSLError("Adding X509 name to digest failed");
goto fail;
}
}
}
- if (EVP_DigestFinal_ex(&digest, hash_buf, &hash_len) == 0) {
+ if (EVP_DigestFinal_ex(digest, hash_buf, &hash_len) == 0) {
SSLError("EVP_DigestFinal_ex failed");
goto fail;
}
- EVP_MD_CTX_cleanup(&digest);
if (SSL_CTX_set_session_id_context(ctx, hash_buf, hash_len) == 0) {
SSLError("SSL_CTX_set_session_id_context failed");
goto fail;
@@ -1581,6 +1664,8 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config &sslMu
return ssl_context_enable_ecdh(ctx);
fail:
+ // EVP_MD_CTX_destroy calls EVP_MD_CTX_cleanup too
+ EVP_MD_CTX_destroy(digest);
SSL_CLEAR_PW_REFERENCES(ud, ctx)
SSL_CTX_free(ctx);
for (unsigned int i = 0; i < certList.length(); i++) {
@@ -1680,7 +1765,11 @@ ssl_callback_info(const SSL *ssl, int where, int ret)
#ifdef SSL23_ST_SR_CLNT_HELLO_A
if (state == SSL3_ST_SR_CLNT_HELLO_A || state == SSL23_ST_SR_CLNT_HELLO_A) {
#else
+#ifdef SSL3_ST_SR_CLNT_HELLO_A
if (state == SSL3_ST_SR_CLNT_HELLO_A) {
+#else
+ if (state == TLS_ST_SR_CLNT_HELLO) {
+#endif
#endif
netvc->setSSLClientRenegotiationAbort(true);
Debug("ssl", "ssl_callback_info trying to renegotiate from the client");
diff --git a/lib/ts/HashMD5.cc b/lib/ts/HashMD5.cc
index ae6e051..c457b71 100644
--- a/lib/ts/HashMD5.cc
+++ b/lib/ts/HashMD5.cc
@@ -23,7 +23,8 @@
ATSHashMD5::ATSHashMD5(void)
{
- EVP_DigestInit(&ctx, EVP_md5());
+ ctx = EVP_MD_CTX_create();
+ EVP_DigestInit(ctx, EVP_md5());
md_len = 0;
finalized = false;
}
@@ -32,7 +33,7 @@ void
ATSHashMD5::update(const void *data, size_t len)
{
if (!finalized) {
- EVP_DigestUpdate(&ctx, data, len);
+ EVP_DigestUpdate(ctx, data, len);
}
}
@@ -40,7 +41,7 @@ void
ATSHashMD5::final(void)
{
if (!finalized) {
- EVP_DigestFinal_ex(&ctx, md_value, &md_len);
+ EVP_DigestFinal_ex(ctx, md_value, &md_len);
finalized = true;
}
}
@@ -58,19 +59,20 @@ ATSHashMD5::get(void) const
size_t
ATSHashMD5::size(void) const
{
- return EVP_MD_CTX_size(&ctx);
+ return EVP_MD_CTX_size(ctx);
}
void
ATSHashMD5::clear(void)
{
- EVP_MD_CTX_cleanup(&ctx);
- EVP_DigestInit(&ctx, EVP_md5());
+ EVP_MD_CTX_destroy(ctx);
+ ctx = EVP_MD_CTX_create();
+ EVP_DigestInit(ctx, EVP_md5());
md_len = 0;
finalized = false;
}
ATSHashMD5::~ATSHashMD5()
{
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_destroy(ctx);
}
diff --git a/lib/ts/HashMD5.h b/lib/ts/HashMD5.h
index 8a353c5..89ac67a 100644
--- a/lib/ts/HashMD5.h
+++ b/lib/ts/HashMD5.h
@@ -35,7 +35,7 @@ struct ATSHashMD5 : ATSHash {
~ATSHashMD5();
private:
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned char md_value[EVP_MAX_MD_SIZE];
unsigned int md_len;
bool finalized;
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 7cfa2e1..71a61ff 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -75,6 +75,7 @@
#define TS_USE_TLS_SNI @use_tls_sni@
#define TS_USE_CERT_CB @use_cert_cb@
#define TS_USE_SET_RBIO @use_set_rbio@
+#define TS_USE_GET_DH_2048_256 @use_dh_get_2048_256@
#define TS_USE_TLS_ECKEY @use_tls_eckey@
#define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
#define TS_USE_REMOTE_UNWINDING @use_remote_unwinding@
--
To stop receiving notification emails like this one, please contact
"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>.
[trafficserver] 04/04: SSL_CTX_remove_session() and external cache
Posted by so...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sorber pushed a commit to branch 6.2.x
in repository https://git-dual.apache.org/repos/asf/trafficserver.git
commit a858aadd9a3966c218fdceda5d206a6013089e11
Author: Jack Bates <ja...@nottheoilrig.com>
AuthorDate: Sat Jan 28 15:25:31 2017 -0700
SSL_CTX_remove_session() and external cache
The remove session callback is triggered when a session is removed,
so at best, calling SSL_CTX_remove_session() again is redundant.
In OpenSSL 1.1 it's recursive.
Fixes #1386
(cherry picked from commit cf33b5bfa2cbb362cff2f13711e718f5316c8589)
---
iocore/net/SSLUtils.cc | 2 --
1 file changed, 2 deletions(-)
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index a8d62e8..407a4a5 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -265,8 +265,6 @@ ssl_new_cached_session(SSL *ssl, SSL_SESSION *sess)
static void
ssl_rm_cached_session(SSL_CTX *ctx, SSL_SESSION *sess)
{
- SSL_CTX_remove_session(ctx, sess);
-
unsigned int len = 0;
const unsigned char *id = SSL_SESSION_get_id(sess, &len);
SSLSessionID sid(id, len);
--
To stop receiving notification emails like this one, please contact
"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>.
[trafficserver] 02/04: TS-5059: SSL_set_rbio() renamed
SSL_set0_rbio()
Posted by so...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sorber pushed a commit to branch 6.2.x
in repository https://git-dual.apache.org/repos/asf/trafficserver.git
commit 0695bf580674c8c7f5e77720db0c4b4eaaaff2f0
Author: Jack Bates <ja...@nottheoilrig.com>
AuthorDate: Mon Jan 2 14:25:09 2017 -0700
TS-5059: SSL_set_rbio() renamed SSL_set0_rbio()
It was renamed before OpenSSL 1.1 was released [1][2].
[1] https://github.com/openssl/openssl/commit/65e2d672548e7c4bcb28f1c5c835362830b1745b
[2] https://rt.openssl.org/Ticket/Display.html?id=4572
(cherry picked from commit 1a08a61f86c0c08871961e5386e44f88bacccbe8)
---
build/crypto.m4 | 4 ++--
configure.ac | 2 +-
iocore/net/SSLInternal.cc | 4 ++--
iocore/net/SSLNetVConnection.cc | 6 +++---
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/build/crypto.m4 b/build/crypto.m4
index 2f3bb0d..dc6fbd8 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -168,7 +168,7 @@ AC_DEFUN([TS_CHECK_CRYPTO_SET_RBIO], [
enable_set_rbio=yes
TS_ADDTO(LIBS, [$OPENSSL_LIBS])
- AC_MSG_CHECKING([for SSL_set_rbio])
+ AC_MSG_CHECKING([for SSL_set0_rbio])
AC_LINK_IFELSE(
[
AC_LANG_PROGRAM([[
@@ -179,7 +179,7 @@ AC_DEFUN([TS_CHECK_CRYPTO_SET_RBIO], [
#include <openssl/tls1.h>
#endif
]],
- [[SSL_set_rbio(NULL, NULL);]])
+ [[SSL_set0_rbio(NULL, NULL);]])
],
[
AC_MSG_RESULT([yes])
diff --git a/configure.ac b/configure.ac
index aca1094..31adfff 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1148,7 +1148,7 @@ TS_CHECK_CRYPTO_SNI
TS_CHECK_CRYPTO_CERT_CB
#
-# Check for SSL_set_rbio call
+# Check for SSL_set0_rbio call
TS_CHECK_CRYPTO_SET_RBIO
# Check for DH_get_2048_256
diff --git a/iocore/net/SSLInternal.cc b/iocore/net/SSLInternal.cc
index deaf70e..f4145d9 100644
--- a/iocore/net/SSLInternal.cc
+++ b/iocore/net/SSLInternal.cc
@@ -23,7 +23,7 @@
*/
#include "ts/ink_config.h"
#if TS_USE_SET_RBIO
-// No need to do anything, this version of openssl provides the SSL_set_rbio function
+// No need to do anything, this version of openssl provides the SSL_set0_rbio function
#else
#ifdef OPENSSL_NO_SSL_INTERN
@@ -35,7 +35,7 @@
#include "P_SSLNetVConnection.h"
void
-SSL_set_rbio(SSL *ssl, BIO *rbio)
+SSL_set0_rbio(SSL *ssl, BIO *rbio)
{
if (ssl->rbio != NULL) {
BIO_free(ssl->rbio);
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 450c577..e204993 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -36,7 +36,7 @@
#if !TS_USE_SET_RBIO
// Defined in SSLInternal.c, should probably make a separate include
// file for this at some point
-void SSL_set_rbio(SSL *ssl, BIO *rbio);
+void SSL_set0_rbio(SSL *ssl, BIO *rbio);
#endif
// This is missing from BoringSSL
@@ -403,7 +403,7 @@ SSLNetVConnection::read_raw_data()
// Must be reset on each read
BIO *rbio = BIO_new_mem_buf(start, this->handShakeBioStored);
BIO_set_mem_eof_return(rbio, -1);
- SSL_set_rbio(this->ssl, rbio);
+ SSL_set0_rbio(this->ssl, rbio);
return r;
}
@@ -577,7 +577,7 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread)
// Must be reset on each read
BIO *rbio = BIO_new_mem_buf(start, this->handShakeBioStored);
BIO_set_mem_eof_return(rbio, -1);
- SSL_set_rbio(this->ssl, rbio);
+ SSL_set0_rbio(this->ssl, rbio);
}
}
}
--
To stop receiving notification emails like this one, please contact
"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>.