JosiahWI opened a new pull request, #13349: URL: https://github.com/apache/trafficserver/pull/13349
This is work for #13347. It does not remove the OpenSSL 1.1.1 compatibility, but it switches the implementation to use OpenSSL 3.x APIs when available. The change is split into three commits. The first one is a suite of unit tests generated by Claude Opus, which have at least one bug (stripping const from a const-object such as a string literal is highly dangerous; shame on you Claude Opus) and require at least OpenSSL 3.0. I'm happy with the test cases, but I need to fix the issues before taking this out of draft. The second commit is the OpenSSL 3.0 implementation. This is the easiest place to view the meat of the change without distraction. Finally, I split most of the work here into a new file called SSLKeyUtils.cc in the third commit. SSLUtils.cc needs refactoring according to CodeScene (the file is massive and not cohesive), and I saw an opportunity to make a small chip in it here in that direction, with the special benefit of isolating all the messy precompiler directives in the new file so that the SSLUtils.cc function remains sleek and build-configuration-independent. When reviewing, please take a look at `EVP_PKEY_CTX_set_dh_rfc5114`. In the OpenSSL 3 implementation of `gen_dh_2048_258` I would rather use that helper function than manually set params. When I tried it, OpenSSL happily failed the corresponding unit test. Closer docs inspection reveals that the key type has to be `EVP_PK_DHX`, even for the `dh` version of the function. I don't know the difference between DH and DHX and whether it would be behavior-preserving to switch, so I'm asking for help here. I have been thorough in error-checking and memory management, referring to OpenSSL's API documentation, but I am not familiar with OpenSSL APIs yet. I would appreciate a review from someone with a lot of OpenSSL experience. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
