Hi,
On 19-06-17 17:35, log...@free.fr wrote:
> From: Emmanuel Deloget <log...@free.fr>
>
> HMAC_CTX_init() has been removed from OpenSSL 1.1. Both this function
> and function HMAC_CTX_cleanup() has been replaced by HMAC_CTX_reset().
>
> Commit aba98e9050eb54d72d921e70bcd422cb892b9c6c introduced support for
> HMAC_CTX_init() for OpenSSL 1.1+ while other functions were mimicking
> the OpenSSL 1.1 interface for earlier version. This is clearly not a
> good idea -- a better approach would be to provide the new interface for
> pre-1.1 versions in order to have the dependant code use only one
> interface version. To implement that, we remove HMAC_CTX_init() from our
> compatibility layer and implement HMAC_CTX_reset() in terms of a cleanup
> followed by an init (as the regular HMAC_CTX_reset() function does in
> OpenSSL 1.1. This change has a consequence on HMAC_CTX_free() which now
> need to cleanup() the HMAC context before freeing it.
> ---
> configure.ac | 1 -
> src/openvpn/crypto_openssl.c | 2 +-
> src/openvpn/openssl_compat.h | 39 ++++++++++++++-------------------------
> 3 files changed, 15 insertions(+), 27 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 56ce5f82..22f91cb6 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -924,7 +924,6 @@ if test "${enable_crypto}" = "yes" -a
> "${with_crypto_library}" = "openssl"; then
> HMAC_CTX_new \
> HMAC_CTX_free \
> HMAC_CTX_reset \
> - HMAC_CTX_init \
> EVP_MD_CTX_new \
> EVP_MD_CTX_free \
> EVP_MD_CTX_reset \
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index a55e65c1..9cf3355b 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -930,7 +930,7 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int
> key_len,
> {
> ASSERT(NULL != kt && NULL != ctx);
>
> - HMAC_CTX_init(ctx);
> + HMAC_CTX_reset(ctx);
> HMAC_Init_ex(ctx, key, key_len, kt, NULL);
>
> /* make sure we used a big enough key */
> diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
> index c765f0bb..617410e0 100644
> --- a/src/openvpn/openssl_compat.h
> +++ b/src/openvpn/openssl_compat.h
> @@ -120,6 +120,15 @@ EVP_CIPHER_CTX_new(void)
> /**
> * Reset a HMAC context
> *
> + * OpenSSL 1.1+ removes APIs HMAC_CTX_init() and HMAC_CTX_cleanup()
> + * and replace them with a single call that does a cleanup followed
> + * by an init. A proper _reset() for OpenSSL < 1.1 should perform
> + * a similar set of operations.
> + *
> + * It means that before we kill a HMAC context, we'll have to cleanup
> + * again, as we probably have allocated a few resources when we forced
> + * an init.
> + *
> * @param ctx The HMAC context
> * @return 1 on success, 0 on error
> */
> @@ -127,42 +136,22 @@ static inline int
> HMAC_CTX_reset(HMAC_CTX *ctx)
> {
> HMAC_CTX_cleanup(ctx);
> + HMAC_CTX_init(ctx);
> return 1;
> }
> #endif
>
> -#if !defined(HAVE_HMAC_CTX_INIT)
> -/**
> - * Init a HMAC context
> - *
> - * @param ctx The HMAC context
> - *
> - * Contrary to many functions in this file, HMAC_CTX_init() is not
> - * an OpenSSL 1.1 function: it comes from previous versions and was
> - * removed in v1.1. As a consequence, there is no distincting in
> - * v1.1 between a cleanup, and init and a reset. Yet, previous OpenSSL
> - * version need this distinction.
> - *
> - * In order to respect previous OpenSSL versions, we implement init
> - * as reset for OpenSSL 1.1+.
> - */
> -static inline void
> -HMAC_CTX_init(HMAC_CTX *ctx)
> -{
> - HMAC_CTX_reset(ctx);
> -}
> -#endif
> -
> #if !defined(HAVE_HMAC_CTX_FREE)
> /**
> - * Free an existing HMAC context
> + * Cleanup and free an existing HMAC context
> *
> * @param ctx The HMAC context
> */
> static inline void
> -HMAC_CTX_free(HMAC_CTX *c)
> +HMAC_CTX_free(HMAC_CTX *ctx)
> {
> - free(c);
> + HMAC_CTX_cleanup(ctx);
> + free(ctx);
> }
> #endif
>
>
Thanks, ACK.
-Steffan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
