[Git][NTPsec/ntpsec][master] 2 commits: Revert "Address GitLab issue #237: Build fails with OpenSSL 1.1"
Matt Selsky
gitlab at mg.gitlab.com
Tue Jan 31 14:27:45 UTC 2017
Matt Selsky pushed to branch master at NTPsec / ntpsec
Commits:
51d5f16d by Matt Selsky at 2017-01-31T09:03:29-05:00
Revert "Address GitLab issue #237: Build fails with OpenSSL 1.1"
- - - - -
c94c218c by Matt Selsky at 2017-01-31T09:23:33-05:00
Fix compatibility with OpenSSL 1.1
EVP_MD_CTX is now an opaque structure so we need it to be a pointer. It's also
easier if we use OpenSSL's initialization functions instead of doing our own
memory management.
Fixes GitLab issue #237
- - - - -
4 changed files:
- libntp/macencrypt.c
- ntpd/ntp_control.c
- ntpd/ntp_leapsec.c
- wafhelpers/check_openssl.py
Changes:
=====================================
libntp/macencrypt.c
=====================================
--- a/libntp/macencrypt.c
+++ b/libntp/macencrypt.c
@@ -52,7 +52,7 @@ mac_authencrypt(
{
uint8_t digest[EVP_MAX_MD_SIZE];
u_int len;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
/*
* Compute digest of key concatenated with packet. Note: the
@@ -60,14 +60,16 @@ mac_authencrypt(
* was created.
*/
ssl_init();
- if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
+ ctx = EVP_MD_CTX_create();
+ if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(type), NULL)) {
msyslog(LOG_ERR,
"MAC encrypt: digest init failed");
return (0);
}
- EVP_DigestUpdate(&ctx, key, cache_secretsize);
- EVP_DigestUpdate(&ctx, (uint8_t *)pkt, (u_int)length);
- EVP_DigestFinal(&ctx, digest, &len);
+ EVP_DigestUpdate(ctx, key, cache_secretsize);
+ EVP_DigestUpdate(ctx, (uint8_t *)pkt, (u_int)length);
+ EVP_DigestFinal_ex(ctx, digest, &len);
+ EVP_MD_CTX_destroy(ctx);
memmove((uint8_t *)pkt + length + 4, digest, len);
return (len + 4);
}
@@ -89,7 +91,7 @@ mac_authdecrypt(
{
uint8_t digest[EVP_MAX_MD_SIZE];
u_int len;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
/*
* Compute digest of key concatenated with packet. Note: the
@@ -97,14 +99,16 @@ mac_authdecrypt(
* was created.
*/
ssl_init();
- if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
+ ctx = EVP_MD_CTX_create();
+ if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(type), NULL)) {
msyslog(LOG_ERR,
"MAC decrypt: digest init failed");
return (0);
}
- EVP_DigestUpdate(&ctx, key, cache_secretsize);
- EVP_DigestUpdate(&ctx, (uint8_t *)pkt, (u_int)length);
- EVP_DigestFinal(&ctx, digest, &len);
+ EVP_DigestUpdate(ctx, key, cache_secretsize);
+ EVP_DigestUpdate(ctx, (uint8_t *)pkt, (u_int)length);
+ EVP_DigestFinal_ex(ctx, digest, &len);
+ EVP_MD_CTX_destroy(ctx);
if ((u_int)size != len + 4) {
msyslog(LOG_ERR,
"MAC decrypt: MAC length error");
@@ -124,7 +128,7 @@ addr2refid(sockaddr_u *addr)
{
uint8_t digest[20];
uint32_t addr_refid;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
u_int len;
if (IS_IPV4(addr))
@@ -132,19 +136,20 @@ addr2refid(sockaddr_u *addr)
ssl_init();
- EVP_MD_CTX_init(&ctx);
+ ctx = EVP_MD_CTX_create();
#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
/* MD5 is not used as a crypto hash here. */
- EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
#endif
- if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) {
+ if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) {
msyslog(LOG_ERR, "MD5 init failed");
exit(1);
}
- EVP_DigestUpdate(&ctx, (uint8_t *)PSOCK_ADDR6(addr),
+ EVP_DigestUpdate(ctx, (uint8_t *)PSOCK_ADDR6(addr),
sizeof(struct in6_addr));
- EVP_DigestFinal(&ctx, digest, &len);
+ EVP_DigestFinal_ex(ctx, digest, &len);
+ EVP_MD_CTX_destroy(ctx);
memcpy(&addr_refid, digest, sizeof(addr_refid));
return (addr_refid);
}
=====================================
ntpd/ntp_control.c
=====================================
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -3025,7 +3025,7 @@ static uint32_t derive_nonce(
uint8_t digest[EVP_MAX_MD_SIZE];
uint32_t extract;
} d;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
u_int len;
while (!salt[0] || current_time - last_salt_update >= 3600) {
@@ -3036,19 +3036,21 @@ static uint32_t derive_nonce(
last_salt_update = current_time;
}
- EVP_DigestInit(&ctx, EVP_md5());
- EVP_DigestUpdate(&ctx, salt, sizeof(salt));
- EVP_DigestUpdate(&ctx, &ts_i, sizeof(ts_i));
- EVP_DigestUpdate(&ctx, &ts_f, sizeof(ts_f));
+ ctx = EVP_MD_CTX_create();
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, salt, sizeof(salt));
+ EVP_DigestUpdate(ctx, &ts_i, sizeof(ts_i));
+ EVP_DigestUpdate(ctx, &ts_f, sizeof(ts_f));
if (IS_IPV4(addr))
- EVP_DigestUpdate(&ctx, &SOCK_ADDR4(addr),
+ EVP_DigestUpdate(ctx, &SOCK_ADDR4(addr),
sizeof(SOCK_ADDR4(addr)));
else
- EVP_DigestUpdate(&ctx, &SOCK_ADDR6(addr),
+ EVP_DigestUpdate(ctx, &SOCK_ADDR6(addr),
sizeof(SOCK_ADDR6(addr)));
- EVP_DigestUpdate(&ctx, &NSRCPORT(addr), sizeof(NSRCPORT(addr)));
- EVP_DigestUpdate(&ctx, salt, sizeof(salt));
- EVP_DigestFinal(&ctx, d.digest, &len);
+ EVP_DigestUpdate(ctx, &NSRCPORT(addr), sizeof(NSRCPORT(addr)));
+ EVP_DigestUpdate(ctx, salt, sizeof(salt));
+ EVP_DigestFinal_ex(ctx, d.digest, &len);
+ EVP_MD_CTX_destroy(ctx);
return d.extract;
}
=====================================
ntpd/ntp_leapsec.c
=====================================
--- a/ntpd/ntp_leapsec.c
+++ b/ntpd/ntp_leapsec.c
@@ -956,24 +956,25 @@ leapsec_validate(
leapsec_reader func,
void * farg)
{
- EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx;
sha1_digest rdig, ldig; /* remote / local digests */
char line[50];
int hlseen = -1;
- EVP_DigestInit(&mdctx, EVP_sha1());
+ mdctx = EVP_MD_CTX_create();
+ EVP_DigestInit_ex(mdctx, EVP_sha1(), NULL);
while (get_line(func, farg, line, sizeof(line))) {
if (!strncmp(line, "#h", 2))
hlseen = do_leap_hash(&rdig, line+2);
else if (!strncmp(line, "#@", 2))
- do_hash_data(&mdctx, line+2);
+ do_hash_data(mdctx, line+2);
else if (!strncmp(line, "#$", 2))
- do_hash_data(&mdctx, line+2);
+ do_hash_data(mdctx, line+2);
else if (isdigit((unsigned char)line[0]))
- do_hash_data(&mdctx, line);
+ do_hash_data(mdctx, line);
}
- EVP_DigestFinal(&mdctx, ldig.hv, NULL);
- EVP_MD_CTX_cleanup(&mdctx);
+ EVP_DigestFinal_ex(mdctx, ldig.hv, NULL);
+ EVP_MD_CTX_destroy(mdctx);
if (0 > hlseen)
return LSVALID_NOHASH;
=====================================
wafhelpers/check_openssl.py
=====================================
--- a/wafhelpers/check_openssl.py
+++ b/wafhelpers/check_openssl.py
@@ -13,29 +13,29 @@ int main(void) {
def configure_openssl(ctx):
- # Some of these headers may not be needed. Check the build on Debian sid
- # and other older systems before removing any, though; incautious removals
- # have caused build breakage.
+ OPENSSL_HEADERS = True
+ OPENSSL_LIB = True
+
headers = (
- "openssl/asn1_mac.h",
- "openssl/bn.h",
- "openssl/err.h",
"openssl/evp.h",
- "openssl/pem.h",
"openssl/rand.h",
"openssl/objects.h",
- "openssl/x509v3.h",
- "openssl/ssl.h",
)
- ctx.check_cc(lib="crypto", mandatory=True)
- ctx.check_cc(
- fragment=OPENSSL_FRAG % "\n".join(["#include <%s>" % x
- for x in headers]),
- execute=True,
- use="CRYPTO",
- msg="Checking if OpenSSL works",
- mandatory=True,
- comment="OpenSSL support"
- )
+ for hdr in headers:
+ if not ctx.check_cc(header_name=hdr, comment="<%s> header" % hdr):
+ OPENSSL_HEADERS = False
+
+ if not ctx.check_cc(lib="crypto"):
+ OPENSSL_LIB = False
+
+ if OPENSSL_HEADERS and OPENSSL_LIB:
+ ctx.check_cc(
+ fragment=OPENSSL_FRAG % "\n".join(["#include <%s>" % x
+ for x in headers]),
+ execute=True,
+ use="CRYPTO",
+ msg="Checking if OpenSSL works",
+ comment="OpenSSL support"
+ )
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/d815d6ee6a13992644a2a2129630e06ec5f1a5ea...c94c218ccaaf7028a05fd96700a21d0ddc5a3f13
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170131/76630f41/attachment.html>
More information about the vc
mailing list