From: Emmanuel Deloget Date: Mon, 19 Jun 2017 15:35:13 +0000 (+0200) Subject: OpenSSL: remove pre-1.1 function from the OpenSSL compat interface X-Git-Tag: v2.5_beta1~651 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64b8a4ae9d7edb39f802d0d4cbdf9d46116f2461;p=thirdparty%2Fopenvpn.git OpenSSL: remove pre-1.1 function from the OpenSSL compat interface HMAC_CTX_init() has been removed from OpenSSL 1.1. Both this function and function HMAC_CTX_cleanup() has been replaced by HMAC_CTX_reset(). Commit aba98e9050eb54d72d921e70bcd422cb892b9c6c introduced support for HMAC_CTX_init() for OpenSSL 1.1+ while other functions were mimicking the OpenSSL 1.1 interface for earlier version. This is clearly not a good idea -- a better approach would be to provide the new interface for pre-1.1 versions in order to have the dependant code use only one interface version. To implement that, we remove HMAC_CTX_init() from our compatibility layer and implement HMAC_CTX_reset() in terms of a cleanup followed by an init (as the regular HMAC_CTX_reset() function does in OpenSSL 1.1. This change has a consequence on HMAC_CTX_free() which now need to cleanup() the HMAC context before freeing it. Acked-by: Steffan Karger Message-Id: <20170619153513.5420-1-logout@free.fr> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14889.html Signed-off-by: Gert Doering --- diff --git a/configure.ac b/configure.ac index 56ce5f82e..22f91cb60 100644 --- a/configure.ac +++ b/configure.ac @@ -924,7 +924,6 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then HMAC_CTX_new \ HMAC_CTX_free \ HMAC_CTX_reset \ - HMAC_CTX_init \ EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index a55e65c10..9cf3355b7 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -930,7 +930,7 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); - HMAC_CTX_init(ctx); + HMAC_CTX_reset(ctx); HMAC_Init_ex(ctx, key, key_len, kt, NULL); /* make sure we used a big enough key */ diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c765f0bb9..617410e02 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -120,6 +120,15 @@ EVP_CIPHER_CTX_new(void) /** * Reset a HMAC context * + * OpenSSL 1.1+ removes APIs HMAC_CTX_init() and HMAC_CTX_cleanup() + * and replace them with a single call that does a cleanup followed + * by an init. A proper _reset() for OpenSSL < 1.1 should perform + * a similar set of operations. + * + * It means that before we kill a HMAC context, we'll have to cleanup + * again, as we probably have allocated a few resources when we forced + * an init. + * * @param ctx The HMAC context * @return 1 on success, 0 on error */ @@ -127,42 +136,22 @@ static inline int HMAC_CTX_reset(HMAC_CTX *ctx) { HMAC_CTX_cleanup(ctx); + HMAC_CTX_init(ctx); return 1; } #endif -#if !defined(HAVE_HMAC_CTX_INIT) -/** - * Init a HMAC context - * - * @param ctx The HMAC context - * - * Contrary to many functions in this file, HMAC_CTX_init() is not - * an OpenSSL 1.1 function: it comes from previous versions and was - * removed in v1.1. As a consequence, there is no distincting in - * v1.1 between a cleanup, and init and a reset. Yet, previous OpenSSL - * version need this distinction. - * - * In order to respect previous OpenSSL versions, we implement init - * as reset for OpenSSL 1.1+. - */ -static inline void -HMAC_CTX_init(HMAC_CTX *ctx) -{ - HMAC_CTX_reset(ctx); -} -#endif - #if !defined(HAVE_HMAC_CTX_FREE) /** - * Free an existing HMAC context + * Cleanup and free an existing HMAC context * * @param ctx The HMAC context */ static inline void -HMAC_CTX_free(HMAC_CTX *c) +HMAC_CTX_free(HMAC_CTX *ctx) { - free(c); + HMAC_CTX_cleanup(ctx); + free(ctx); } #endif