This is an automated email from the ASF dual-hosted git repository.
jvanderzee pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 0d3a5f3ada Update magick plugin to OpenSSL 1.1.1 API (#11441)
0d3a5f3ada is described below
commit 0d3a5f3ada6b9548a08bfbc64a737f90855785f3
Author: JosiahWI <[email protected]>
AuthorDate: Wed Jun 12 11:46:37 2024 -0500
Update magick plugin to OpenSSL 1.1.1 API (#11441)
The functions `EVP_MD_CTX_create` and `EVP_MD_CTX_destroy` were renamed to
`EVP_MD_CTX_new` and `EVP_MD_CTX_free` in OpenSSL 1.1.0. This renames them
in the magick plugin accordingly. This also replaces the individual calls
to `EVP_DigestVerifyUpdate` and `EVP_DigestVerifyFinal` with a single call
to `EVP_DigestVerify` which is available in OpenSSL 1.1.1. It also adds
calls to print
debug information for OpenSSL errors during verification.
---
plugins/experimental/magick/magick.cc | 51 +++++++++++++++++++----------------
1 file changed, 28 insertions(+), 23 deletions(-)
diff --git a/plugins/experimental/magick/magick.cc
b/plugins/experimental/magick/magick.cc
index 968b0b1889..09de27ca23 100644
--- a/plugins/experimental/magick/magick.cc
+++ b/plugins/experimental/magick/magick.cc
@@ -176,10 +176,10 @@ struct EVPContext {
~EVPContext()
{
assert(nullptr != context);
- EVP_MD_CTX_destroy(context);
+ EVP_MD_CTX_free(context);
}
- EVPContext() : context(EVP_MD_CTX_create()) { assert(nullptr != context); }
+ EVPContext() : context(EVP_MD_CTX_new()) { assert(nullptr != context); }
};
struct EVPKey {
@@ -203,6 +203,20 @@ struct EVPKey {
}
};
+/** Remove the last error from this thread's error queue and print it.
+ */
+static void
+ssl_error()
+{
+ if (unsigned long error_code{ERR_get_error()}; 0 != error_code) {
+ if (char const *reason{ERR_reason_error_string(error_code)}; NULL ==
reason) {
+ Dbg(dbg_ctl, "SSL error: error code %lu", error_code);
+ } else {
+ Dbg(dbg_ctl, "SSL error: %s", reason);
+ }
+ }
+}
+
bool
verify(const byte *const msg, const size_t mlen, const byte *const sig, const
size_t slen, EVP_PKEY *const pkey)
{
@@ -218,30 +232,21 @@ verify(const byte *const msg, const size_t mlen, const
byte *const sig, const si
EVPContext evp;
- {
- const int rc = EVP_DigestVerifyInit(evp.context, nullptr, EVP_sha256(),
nullptr, pkey);
- assert(1 == rc);
- if (1 != rc) {
- return false;
- }
- }
-
- {
- const int rc = EVP_DigestVerifyUpdate(evp.context, msg, mlen);
- assert(1 == rc);
- if (1 != rc) {
- return false;
- }
+ if (const int rc = EVP_DigestVerifyInit(evp.context, nullptr, EVP_sha256(),
nullptr, pkey); 1 != rc) {
+ ssl_error();
+ return false;
}
- ERR_clear_error();
-
- {
- const int rc = EVP_DigestVerifyFinal(evp.context, sig, slen);
- return 1 == rc;
+ if (const int rc = EVP_DigestVerify(evp.context, sig, slen, msg, mlen); 1 ==
rc) {
+ return true;
+ } else {
+ // The OpenSSL 1.1.1 API distinguishes between a verification failure and a
+ // more serious error with a specific return value for the former, but we
+ // have collapsed them into one case because we don't do any special
+ // handling for serious errors.
+ ssl_error();
+ return false;
}
-
- return false;
}
struct Exception {
