JosiahWI opened a new pull request, #13349:
URL: https://github.com/apache/trafficserver/pull/13349

   This is work for #13347. It does not remove the OpenSSL 1.1.1 compatibility, 
but it switches the implementation to use OpenSSL 3.x APIs when available.
   
   The change is split into three commits. The first one is a suite of unit 
tests generated by Claude Opus, which have at least one bug (stripping const 
from a const-object such as a string literal is highly dangerous; shame on you 
Claude Opus) and require at least OpenSSL 3.0. I'm happy with the test cases, 
but I need to fix the issues before taking this out of draft.
   
   The second commit is the OpenSSL 3.0 implementation. This is the easiest 
place to view the meat of the change without distraction.
   
   Finally, I split most of the work here into a new file called SSLKeyUtils.cc 
in the third commit. SSLUtils.cc needs refactoring according to CodeScene (the 
file is massive and not cohesive), and I saw an opportunity to make a small 
chip in it here in that direction, with the special benefit of isolating all 
the messy precompiler directives in the new file so that the SSLUtils.cc 
function remains sleek and build-configuration-independent.
   
   When reviewing, please take a look at `EVP_PKEY_CTX_set_dh_rfc5114`. In the 
OpenSSL 3 implementation of `gen_dh_2048_258` I would rather use that helper 
function than manually set params. When I tried it, OpenSSL happily failed the 
corresponding unit test. Closer docs inspection reveals that the key type has 
to be `EVP_PK_DHX`, even for the `dh` version of the function. I don't know the 
difference between DH and DHX and whether it would be behavior-preserving to 
switch, so I'm asking for help here.
   
   I have been thorough in error-checking and memory management, referring to 
OpenSSL's API documentation, but I am not familiar with OpenSSL APIs yet. I 
would appreciate a review from someone with a lot of OpenSSL experience.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to