OpenSSL: Fix OpenSSL 1.1.0 compatibility functions

Message ID	CAF8qwaBNrWtn0MhXt0EqdwUkZMv=zyXffXWnCzmQtK+iUemK8A@mail.gmail.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> MIME-Version: 1.0 From: David Benjamin <davidben@google.com> Date: Thu, 11 Aug 2016 10:49:49 -0400 Message-ID: <CAF8qwaBNrWtn0MhXt0EqdwUkZMv=zyXffXWnCzmQtK+iUemK8A@mail.gmail.com> Subject: [PATCH] OpenSSL: Fix OpenSSL 1.1.0 compatibility functions To: hostap@lists.infradead.org Content-Type: multipart/mixed; boundary=001a113fb72af2d7240539cce18e summary: Content analysis details: (-4.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2607:f8b0:4001:c06:0:0:0:233 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Precedence: list Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Message ID

CAF8qwaBNrWtn0MhXt0EqdwUkZMv=zyXffXWnCzmQtK+iUemK8A@mail.gmail.com

State

Accepted

Headers

MIME-Version: 1.0
From: David Benjamin <davidben@google.com>
Date: Thu, 11 Aug 2016 10:49:49 -0400
Message-ID: <CAF8qwaBNrWtn0MhXt0EqdwUkZMv=zyXffXWnCzmQtK+iUemK8A@mail.gmail.com>
Subject: [PATCH] OpenSSL: Fix OpenSSL 1.1.0 compatibility functions
To: hostap@lists.infradead.org
Content-Type: multipart/mixed; boundary=001a113fb72af2d7240539cce18e
Precedence: list
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Commit Message

David Benjamin Aug. 11, 2016, 2:49 p.m. UTC

Attached since my mail client will probably mess it up otherwise.

To be consistent with OpenSSL 1.1.0, the free functions should
internally check for NULL. EVP_MD_CTX_free also was missing an
EVP_MD_CTX_cleanup, so this leaked a little.

OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace
with get_rfc3526_prime_1536 as a compatibility-only name. Use that
instead in 1.1.0.

Note this patch checks OPENSSL_VERSION_NUMBER for
BN_get_rfc3526_prime_1536 before OPENSSL_IS_BORINGSSL. This is
intentional. BoringSSL currently claims to be 1.0.2, so this won't
break existing BoringSSL's.

Eventually we hope to claim 1.1.0 compatibility. I think we originally
omitted get_rfc3526_prime_1536 because it was unnamespaced, but
BN_get_rfc3526_prime_1536 is a fine name so, when we claim 1.1.0, that
function will exist and you won't need the extra implementation. I'll
leave it to you all to decide when you drop support for older AOSP
releases, but my hope is that you can drop that ifdef, the
SSL_get_client_random one (sorry about that one!), and possibly
others, in time, and just rely on the advertised version number being
accurate. (Right now we're this awkward mix of mostly 1.0.2 with bits
of 1.1.0.)

You'll probably want to confirm I haven't broken 1.1.0. I've only
compile-tested this in Android.

David

Comments

Jouni Malinen Aug. 13, 2016, 9:28 p.m. UTC | #1

On Thu, Aug 11, 2016 at 10:49:49AM -0400, David Benjamin wrote:
> To be consistent with OpenSSL 1.1.0, the free functions should
> internally check for NULL. EVP_MD_CTX_free also was missing an
> EVP_MD_CTX_cleanup, so this leaked a little.
> 
> OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace
> with get_rfc3526_prime_1536 as a compatibility-only name. Use that
> instead in 1.1.0.

Thanks, applied.

From dc7c9214d7c4db3ff019706df2f0b06c0f2baeef Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Wed, 10 Aug 2016 13:28:45 -0400
Subject: [PATCH] OpenSSL: Fix OpenSSL 1.1.0 compatibility functions

To be consistent with OpenSSL 1.1.0, the free functions should
internally check for NULL. EVP_MD_CTX_free also was missing an
EVP_MD_CTX_cleanup, so this leaked a little.

OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace
with get_rfc3526_prime_1536 as a compatibility-only name. Use that
instead in 1.1.0.

Signed-off-by: David Benjamin <davidben@google.com>
---
 src/crypto/crypto_openssl.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index 7f33686..19e0e2b 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -49,6 +49,8 @@  static HMAC_CTX * HMAC_CTX_new(void)
 
 static void HMAC_CTX_free(HMAC_CTX *ctx)
 {
+	if (!ctx)
+		return;
 	HMAC_CTX_cleanup(ctx);
 	bin_clear_free(ctx, sizeof(*ctx));
 }
@@ -67,6 +69,9 @@  static EVP_MD_CTX * EVP_MD_CTX_new(void)
 
 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
 {
+	if (!ctx)
+		return;
+	EVP_MD_CTX_cleanup(ctx);
 	bin_clear_free(ctx, sizeof(*ctx));
 }
 
@@ -74,7 +79,11 @@  static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
 
 static BIGNUM * get_group5_prime(void)
 {
-#ifdef OPENSSL_IS_BORINGSSL
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+	return BN_get_rfc3526_prime_1536(NULL);
+#elif !defined(OPENSSL_IS_BORINGSSL)
+	return get_rfc3526_prime_1536(NULL);
+#else
 	static const unsigned char RFC3526_PRIME_1536[] = {
 		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
 		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
@@ -94,9 +103,7 @@  static BIGNUM * get_group5_prime(void)
 		0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
 	};
         return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
-#else /* OPENSSL_IS_BORINGSSL */
-	return get_rfc3526_prime_1536(NULL);
-#endif /* OPENSSL_IS_BORINGSSL */
+#endif
 }
 
 #ifdef OPENSSL_NO_SHA256
-- 
2.8.0.rc3.226.g39d4020

OpenSSL: Fix OpenSSL 1.1.0 compatibility functions

Commit Message

Comments

Patch