You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by no...@apache.org on 2017/01/03 21:02:48 UTC

[trafficserver] branch master updated: TS-5059: OpenSSL 1.1 EVP_MD_CTX and HMAC_CTX

This is an automated email from the ASF dual-hosted git repository.

nottheoilrig pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git

The following commit(s) were added to refs/heads/master by this push:
       new  92d004c   TS-5059: OpenSSL 1.1 EVP_MD_CTX and HMAC_CTX
92d004c is described below

commit 92d004cfd6d8e7069ce0a959e5f1327789090261
Author: Jack Bates <ja...@nottheoilrig.com>
AuthorDate: Mon Jan 2 17:16:33 2017 -0700

    TS-5059: OpenSSL 1.1 EVP_MD_CTX and HMAC_CTX
    
    EVP_MD_CTX and HMAC_CTX were made opaque in OpenSSL 1.1 [1],
    so allocating them on the stack is no longer supported.
    
    Also EVP_MD_CTX_cleanup() was removed. EVP_MD_CTX_reset() should be
    called instead, to reinitialise an already created structure.
    
    [1] https://www.openssl.org/news/changelog#x4
---
 example/cppapi/websocket/WSBuffer.cc | 47 +++++++++++++++++++++++++--------
 lib/ts/HashMD5.cc                    |  5 +++-
 plugins/s3_auth/s3_auth.cc           | 50 ++++++++++++++++++++++--------------
 3 files changed, 71 insertions(+), 31 deletions(-)

diff --git a/example/cppapi/websocket/WSBuffer.cc b/example/cppapi/websocket/WSBuffer.cc
index 54fc48a..e84429c 100644
--- a/example/cppapi/websocket/WSBuffer.cc
+++ b/example/cppapi/websocket/WSBuffer.cc
@@ -157,29 +157,54 @@ WSBuffer::read_buffered_message(std::string &message, int &code)
 std::string
 WSBuffer::ws_digest(std::string const &key)
 {
-  EVP_MD_CTX digest;
-  EVP_MD_CTX_init(&digest);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+  EVP_MD_CTX digest[1];
+  EVP_MD_CTX_init(digest);
+#else
+  EVP_MD_CTX *digest;
+  digest = EVP_MD_CTX_new();
+#endif
 
-  if (!EVP_DigestInit_ex(&digest, EVP_sha1(), nullptr)) {
-    EVP_MD_CTX_cleanup(&digest);
+  if (!EVP_DigestInit_ex(digest, EVP_sha1(), nullptr)) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    EVP_MD_CTX_cleanup(digest);
+#else
+    EVP_MD_CTX_free(digest);
+#endif
     return "init-failed";
   }
-  if (!EVP_DigestUpdate(&digest, key.data(), key.length())) {
-    EVP_MD_CTX_cleanup(&digest);
+  if (!EVP_DigestUpdate(digest, key.data(), key.length())) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    EVP_MD_CTX_cleanup(digest);
+#else
+    EVP_MD_CTX_free(digest);
+#endif
     return "update1-failed";
   }
-  if (!EVP_DigestUpdate(&digest, magic.data(), magic.length())) {
-    EVP_MD_CTX_cleanup(&digest);
+  if (!EVP_DigestUpdate(digest, magic.data(), magic.length())) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    EVP_MD_CTX_cleanup(digest);
+#else
+    EVP_MD_CTX_free(digest);
+#endif
     return "update2-failed";
   }
 
   unsigned char hash_buf[EVP_MAX_MD_SIZE];
   unsigned int hash_len = 0;
-  if (!EVP_DigestFinal_ex(&digest, hash_buf, &hash_len)) {
-    EVP_MD_CTX_cleanup(&digest);
+  if (!EVP_DigestFinal_ex(digest, hash_buf, &hash_len)) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    EVP_MD_CTX_cleanup(digest);
+#else
+    EVP_MD_CTX_free(digest);
+#endif
     return "final-failed";
   }
-  EVP_MD_CTX_cleanup(&digest);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+  EVP_MD_CTX_cleanup(digest);
+#else
+  EVP_MD_CTX_free(digest);
+#endif
   if (hash_len != 20) {
     return "bad-hash-length";
   }
diff --git a/lib/ts/HashMD5.cc b/lib/ts/HashMD5.cc
index 7abba0b..1ebd950 100644
--- a/lib/ts/HashMD5.cc
+++ b/lib/ts/HashMD5.cc
@@ -67,7 +67,10 @@ ATSHashMD5::size(void) const
 void
 ATSHashMD5::clear(void)
 {
-  int ret = EVP_MD_CTX_cleanup(ctx);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_MD_CTX_reset(ctx) EVP_MD_CTX_cleanup((ctx))
+#endif
+  int ret = EVP_MD_CTX_reset(ctx);
   ink_assert(ret == 1);
   ret = EVP_DigestInit_ex(ctx, EVP_md5(), nullptr);
   ink_assert(ret == 1);
diff --git a/plugins/s3_auth/s3_auth.cc b/plugins/s3_auth/s3_auth.cc
index 79869dd..033b13a 100644
--- a/plugins/s3_auth/s3_auth.cc
+++ b/plugins/s3_auth/s3_auth.cc
@@ -416,37 +416,49 @@ S3Request::authorize(S3Config *s3)
     TSDebug(PLUGIN_NAME, "%s", left);
   }
 
-  // Produce the SHA1 MAC digest
-  HMAC_CTX ctx;
+// Produce the SHA1 MAC digest
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+  HMAC_CTX ctx[1];
+#else
+  HMAC_CTX *ctx;
+#endif
   unsigned int hmac_len;
   size_t hmac_b64_len;
   unsigned char hmac[SHA_DIGEST_LENGTH];
   char hmac_b64[SHA_DIGEST_LENGTH * 2];
 
-  HMAC_CTX_init(&ctx);
-  HMAC_Init_ex(&ctx, s3->secret(), s3->secret_len(), EVP_sha1(), nullptr);
-  HMAC_Update(&ctx, (unsigned char *)method, method_len);
-  HMAC_Update(&ctx, (unsigned char *)"\n", 1);
-  HMAC_Update(&ctx, (unsigned char *)con_md5, con_md5_len);
-  HMAC_Update(&ctx, (unsigned char *)"\n", 1);
-  HMAC_Update(&ctx, (unsigned char *)con_type, con_type_len);
-  HMAC_Update(&ctx, (unsigned char *)"\n", 1);
-  HMAC_Update(&ctx, (unsigned char *)date, date_len);
-  HMAC_Update(&ctx, (unsigned char *)"\n/", 2);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+  HMAC_CTX_init(ctx);
+#else
+  ctx = HMAC_CTX_new();
+#endif
+  HMAC_Init_ex(ctx, s3->secret(), s3->secret_len(), EVP_sha1(), nullptr);
+  HMAC_Update(ctx, (unsigned char *)method, method_len);
+  HMAC_Update(ctx, (unsigned char *)"\n", 1);
+  HMAC_Update(ctx, (unsigned char *)con_md5, con_md5_len);
+  HMAC_Update(ctx, (unsigned char *)"\n", 1);
+  HMAC_Update(ctx, (unsigned char *)con_type, con_type_len);
+  HMAC_Update(ctx, (unsigned char *)"\n", 1);
+  HMAC_Update(ctx, (unsigned char *)date, date_len);
+  HMAC_Update(ctx, (unsigned char *)"\n/", 2);
 
   if (host && host_endp) {
-    HMAC_Update(&ctx, (unsigned char *)host, host_endp - host);
-    HMAC_Update(&ctx, (unsigned char *)"/", 1);
+    HMAC_Update(ctx, (unsigned char *)host, host_endp - host);
+    HMAC_Update(ctx, (unsigned char *)"/", 1);
   }
 
-  HMAC_Update(&ctx, (unsigned char *)path, path_len);
+  HMAC_Update(ctx, (unsigned char *)path, path_len);
   if (param) {
-    HMAC_Update(&ctx, (unsigned char *)";", 1); // TSUrlHttpParamsGet() does not include ';'
-    HMAC_Update(&ctx, (unsigned char *)param, param_len);
+    HMAC_Update(ctx, (unsigned char *)";", 1); // TSUrlHttpParamsGet() does not include ';'
+    HMAC_Update(ctx, (unsigned char *)param, param_len);
   }
 
-  HMAC_Final(&ctx, hmac, &hmac_len);
-  HMAC_CTX_cleanup(&ctx);
+  HMAC_Final(ctx, hmac, &hmac_len);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+  HMAC_CTX_cleanup(ctx);
+#else
+  HMAC_CTX_free(ctx);
+#endif
 
   // Do the Base64 encoding and set the Authorization header.
   if (TS_SUCCESS == TSBase64Encode((const char *)hmac, hmac_len, hmac_b64, sizeof(hmac_b64) - 1, &hmac_b64_len)) {

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>'].