You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by tm...@apache.org on 2019/02/13 03:38:58 UTC

[impala] 02/04: Add support for compiling using OpenSSL 1.1

This is an automated email from the ASF dual-hosted git repository.

tmarshall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git

commit d2b8b7b9b0f3a02e2418d9182007b736bb739a1b
Author: Hector Acosta <he...@cloudera.com>
AuthorDate: Fri Feb 8 14:50:17 2019 -0800

    Add support for compiling using OpenSSL 1.1
    
    Change-Id: Iaccf1b2dedf0d957a2665df8f9afca4139754264
    Reviewed-on: http://gerrit.cloudera.org:8080/12420
    Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
 be/src/util/openssl-util.cc | 45 ++++++++++++++++++++++++++++++++-------------
 1 file changed, 32 insertions(+), 13 deletions(-)

diff --git a/be/src/util/openssl-util.cc b/be/src/util/openssl-util.cc
index 2b66b86..da583cf 100644
--- a/be/src/util/openssl-util.cc
+++ b/be/src/util/openssl-util.cc
@@ -25,6 +25,7 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
+#include <openssl/tls1.h>
 
 #include "common/atomic.h"
 #include "gutil/port.h" // ATTRIBUTE_WEAK
@@ -70,7 +71,13 @@ static const int RNG_RESEED_INTERVAL = 128;
 static const int RNG_RESEED_BYTES = 512;
 
 int MaxSupportedTlsVersion() {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
   return SSLv23_method()->version;
+#else
+  // OpenSSL 1.1+ doesn't let us detect the supported TLS version at runtime. Assume
+  // that the OpenSSL library we're linked against supports only up to TLS1.2
+  return TLS1_2_VERSION;
+#endif
 }
 
 bool IsInternalTlsConfigured() {
@@ -97,13 +104,25 @@ struct ScopedEVPCipherCtx {
   DISALLOW_COPY_AND_ASSIGN(ScopedEVPCipherCtx);
 
   explicit ScopedEVPCipherCtx(int padding) {
-    EVP_CIPHER_CTX_init(&ctx);
-    EVP_CIPHER_CTX_set_padding(&ctx, padding);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    ctx = static_cast<EVP_CIPHER_CTX*>(malloc(sizeof(*ctx)));
+    EVP_CIPHER_CTX_init(ctx);
+#else
+    ctx = EVP_CIPHER_CTX_new();
+#endif
+    EVP_CIPHER_CTX_set_padding(ctx, padding);
   }
 
-  ~ScopedEVPCipherCtx() { EVP_CIPHER_CTX_cleanup(&ctx); }
+  ~ScopedEVPCipherCtx() {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    EVP_CIPHER_CTX_cleanup(ctx);
+    free(ctx);
+#else
+    EVP_CIPHER_CTX_free(ctx);
+#endif
+  }
 
-  EVP_CIPHER_CTX ctx;
+  EVP_CIPHER_CTX* ctx;
 };
 
 // Callback used by OpenSSLErr() - write the error given to us through buf to the
@@ -170,13 +189,13 @@ Status EncryptionKey::EncryptInternal(
   // mode is well-optimized(instruction level parallelism) with hardware acceleration
   // on x86 and PowerPC
   const EVP_CIPHER* evpCipher = GetCipher();
-  int success = encrypt ? EVP_EncryptInit_ex(&ctx.ctx, evpCipher, NULL, key_, iv_) :
-                          EVP_DecryptInit_ex(&ctx.ctx, evpCipher, NULL, key_, iv_);
+  int success = encrypt ? EVP_EncryptInit_ex(ctx.ctx, evpCipher, NULL, key_, iv_) :
+                          EVP_DecryptInit_ex(ctx.ctx, evpCipher, NULL, key_, iv_);
   if (success != 1) {
     return OpenSSLErr(encrypt ? "EVP_EncryptInit_ex" : "EVP_DecryptInit_ex", err_context);
   }
   if (IsGcmMode()) {
-    if (EVP_CIPHER_CTX_ctrl(&ctx.ctx, EVP_CTRL_GCM_SET_IVLEN, AES_BLOCK_SIZE, NULL)
+    if (EVP_CIPHER_CTX_ctrl(ctx.ctx, EVP_CTRL_GCM_SET_IVLEN, AES_BLOCK_SIZE, NULL)
         != 1) {
       return OpenSSLErr("EVP_CIPHER_CTX_ctrl", err_context);
     }
@@ -189,8 +208,8 @@ Status EncryptionKey::EncryptInternal(
     int in_len = static_cast<int>(min<int64_t>(len - offset, numeric_limits<int>::max()));
     int out_len;
     success = encrypt ?
-        EVP_EncryptUpdate(&ctx.ctx, out + offset, &out_len, data + offset, in_len) :
-        EVP_DecryptUpdate(&ctx.ctx, out + offset, &out_len, data + offset, in_len);
+        EVP_EncryptUpdate(ctx.ctx, out + offset, &out_len, data + offset, in_len) :
+        EVP_DecryptUpdate(ctx.ctx, out + offset, &out_len, data + offset, in_len);
     if (success != 1) {
       return OpenSSLErr(encrypt ? "EVP_EncryptUpdate" : "EVP_DecryptUpdate", err_context);
     }
@@ -201,7 +220,7 @@ Status EncryptionKey::EncryptInternal(
 
   if (IsGcmMode() && !encrypt) {
     // Set expected tag value
-    if (EVP_CIPHER_CTX_ctrl(&ctx.ctx, EVP_CTRL_GCM_SET_TAG, AES_BLOCK_SIZE, gcm_tag_)
+    if (EVP_CIPHER_CTX_ctrl(ctx.ctx, EVP_CTRL_GCM_SET_TAG, AES_BLOCK_SIZE, gcm_tag_)
         != 1) {
       return OpenSSLErr("EVP_CIPHER_CTX_ctrl", err_context);
     }
@@ -209,14 +228,14 @@ Status EncryptionKey::EncryptInternal(
 
   // Finalize encryption or decryption.
   int final_out_len;
-  success = encrypt ? EVP_EncryptFinal_ex(&ctx.ctx, out + offset, &final_out_len) :
-                      EVP_DecryptFinal_ex(&ctx.ctx, out + offset, &final_out_len);
+  success = encrypt ? EVP_EncryptFinal_ex(ctx.ctx, out + offset, &final_out_len) :
+                      EVP_DecryptFinal_ex(ctx.ctx, out + offset, &final_out_len);
   if (success != 1) {
     return OpenSSLErr(encrypt ? "EVP_EncryptFinal" : "EVP_DecryptFinal", err_context);
   }
 
   if (IsGcmMode() && encrypt) {
-    if (EVP_CIPHER_CTX_ctrl(&ctx.ctx, EVP_CTRL_GCM_GET_TAG, AES_BLOCK_SIZE, gcm_tag_)
+    if (EVP_CIPHER_CTX_ctrl(ctx.ctx, EVP_CTRL_GCM_GET_TAG, AES_BLOCK_SIZE, gcm_tag_)
         != 1) {
       return OpenSSLErr("EVP_CIPHER_CTX_ctrl", err_context);
     }