Yes, OpenSSL now wants the size of the buffer passed into EVP_DigestSignFinal

diff --git a/src/lib/eap_aka_sim/crypto.c b/src/lib/eap_aka_sim/crypto.c
index a5dcc42ade75a147667bb6e2ca72234d229f3aac..7efa392918a5907a248b3e406946cc09f630bb20 100644 (file)
--- a/src/lib/eap_aka_sim/crypto.c
+++ b/src/lib/eap_aka_sim/crypto.c
@@ -289,7 +289,7 @@ ssize_t fr_aka_sim_crypto_sign_packet(uint8_t out[static AKA_SIM_MAC_DIGEST_SIZE
        EVP_PKEY                *pkey;
 
        uint8_t                 digest[SHA256_DIGEST_LENGTH];
-       size_t                  digest_len = 0;
+       size_t                  digest_len = sizeof(digest);
        uint8_t const           *mac;
        uint8_t                 *p = eap_packet->type.data, *end = p + eap_packet->type.length;
 
@@ -644,7 +644,7 @@ int fr_aka_sim_crypto_umts_kdf_0(fr_aka_sim_keys_t *keys)
 static int ck_ik_prime_derive(fr_aka_sim_keys_t *keys)
 {
        uint8_t         digest[sizeof(keys->ik_prime) + sizeof(keys->ck_prime)];
-       size_t          len;
+       size_t          digest_len = sizeof(digest);
 
        uint8_t         sqn_ak_buff[MILENAGE_SQN_SIZE];
        uint16_t        l0, l1;
@@ -730,7 +730,7 @@ static int ck_ik_prime_derive(fr_aka_sim_keys_t *keys)
        }
 
        if (EVP_DigestSignUpdate(md_ctx, s, s_len) != 1) goto error;
-       if (EVP_DigestSignFinal(md_ctx, digest, &len) != 1) goto error;
+       if (EVP_DigestSignFinal(md_ctx, digest, &digest_len) != 1) goto error;
 
        memcpy(keys->ik_prime, digest, sizeof(keys->ik_prime));
        memcpy(keys->ck_prime, digest + sizeof(keys->ik_prime), sizeof(keys->ck_prime));
@@ -799,7 +799,7 @@ static int aka_prime_prf(uint8_t *out, size_t outlen,
        }
 
        while (p < end) {
-               size_t len;
+               size_t digest_len = sizeof(digest);
                size_t copy;
 
                c++;
@@ -808,10 +808,10 @@ static int aka_prime_prf(uint8_t *out, size_t outlen,
                if ((p != out) && EVP_DigestSignUpdate(md_ctx, digest, sizeof(digest)) != 1) goto error;/* Ingest last round */
                if (EVP_DigestSignUpdate(md_ctx, in, in_len) != 1) goto error;                          /* Ingest s */
                if (EVP_DigestSignUpdate(md_ctx, &c, sizeof(c)) != 1) goto error;                       /* Ingest round number */
-               if (EVP_DigestSignFinal(md_ctx, digest, &len) != 1) goto error;                         /* Output T(i) */
+               if (EVP_DigestSignFinal(md_ctx, digest, &digest_len) != 1) goto error;                  /* Output T(i) */
 
                copy = end - p;
-               if (copy > SHA256_DIGEST_LENGTH) copy = SHA256_DIGEST_LENGTH;
+               if (copy > digest_len) copy = digest_len;
 
                memcpy(p, digest, copy);
                p += copy;

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.c
index d948592dcb2b8f002803d309ccbc61b2bc77ff06..f08c04788438b973bfb6b843c8023480c5e8ab54 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.c
@@ -244,7 +244,7 @@ static void crypto_rfc4346_p_hash(uint8_t *out, size_t out_len,
        /*
         *      OpenSSL <= 1.1.1 requires a non-null pointer for len
         */
-       EVP_DigestSignFinal(ctx_a, a, &(size_t){ 0 });
+       EVP_DigestSignFinal(ctx_a, a, &(size_t){ sizeof(a) });
 
        while (1) {
                /* Calculate next part of output */
@@ -253,13 +253,13 @@ static void crypto_rfc4346_p_hash(uint8_t *out, size_t out_len,
 
                /* Check if last part */
                if (out_len < size) {
-                       EVP_DigestSignFinal(ctx_out, a, &(size_t){ 0 });
+                       EVP_DigestSignFinal(ctx_out, a, &(size_t){ sizeof(a) });
                        memcpy(out, a, out_len);
                        break;
                }
 
                /* Place digest in output buffer */
-               EVP_DigestSignFinal(ctx_out, out, &(size_t){ 0 });
+               EVP_DigestSignFinal(ctx_out, out, &(size_t){ EVP_MAX_MD_SIZE });
                EVP_MD_CTX_reset(ctx_out);
 
                EVP_DigestSignInit(ctx_out, NULL, evp_md, NULL, pkey);
@@ -270,7 +270,7 @@ static void crypto_rfc4346_p_hash(uint8_t *out, size_t out_len,
                EVP_MD_CTX_reset(ctx_a);
                EVP_DigestSignInit(ctx_a, NULL, evp_md, NULL, pkey);
                EVP_DigestSignUpdate(ctx_a, a, size);
-               EVP_DigestSignFinal(ctx_a, a, &(size_t){ 0 });
+               EVP_DigestSignFinal(ctx_a, a, &(size_t){ EVP_MAX_MD_SIZE });
        }
 
        EVP_PKEY_free(pkey);

diff --git a/src/modules/rlm_wimax/rlm_wimax.c b/src/modules/rlm_wimax/rlm_wimax.c
index 013c3ad9e769e819b6efcecc95a06aa665dc2ea0..4f80a6693ce1cc6098dcde45b94e04dd4ac7b9a0 100644 (file)
--- a/src/modules/rlm_wimax/rlm_wimax.c
+++ b/src/modules/rlm_wimax/rlm_wimax.c
@@ -167,11 +167,11 @@ static unlang_action_t CC_HINT(nonnull) mod_post_auth(rlm_rcode_t *p_result, mod
        fr_pair_t               *mn_nai, *ip, *fa_rk;
        EVP_MD_CTX              *hmac_ctx;
        EVP_PKEY                *hmac_pkey;
-       size_t                  rk1_len, rk2_len, rk_len;
        uint32_t                mip_spi;
        uint8_t                 usage_data[24];
        uint8_t                 mip_rk_1[EVP_MAX_MD_SIZE], mip_rk_2[EVP_MAX_MD_SIZE];
        uint8_t                 mip_rk[2 * EVP_MAX_MD_SIZE];
+       size_t                  rk1_len = sizeof(mip_rk_1), rk2_len = sizeof(mip_rk_2), rk_len = sizeof(mip_rk);
 
        msk = fr_pair_find_by_da_idx(&request->reply_pairs, attr_eap_msk, 0);
        emsk = fr_pair_find_by_da_idx(&request->reply_pairs, attr_eap_emsk, 0);