From patchwork Thu Aug 11 14:49:49 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Benjamin X-Patchwork-Id: 658248 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3s99vD1N1jz9s2k for ; Fri, 12 Aug 2016 00:51:20 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b=iESlIu3W; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bXrJx-0003U7-3R; Thu, 11 Aug 2016 14:50:57 +0000 Received: from mail-io0-x233.google.com ([2607:f8b0:4001:c06::233]) by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat Linux)) id 1bXrJX-0002dp-Ps for hostap@lists.infradead.org; Thu, 11 Aug 2016 14:50:33 +0000 Received: by mail-io0-x233.google.com with SMTP id b62so8186858iod.3 for ; Thu, 11 Aug 2016 07:50:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=4iMcp3n9Gh64JZ2eBQpXe2D+MAlr+nE0m2pDHNj+tbI=; b=iESlIu3WPteRhUG9JIbQ6cVMZn3heZCLEuJpHp1jTkj7v3F/hIFVEuIxkxZj+p2D7x CNwzYP4aThhK7bAwD4Xqh3eIGxxBXQZ+EUXx5b2ei2USmVAWmDLuXyHPVowWw77uUqdT jF3BUXWrKmkwGxWYPaZJ79uOSDBesrkrIzIe0w/I7U51gOg0x5SSalAkgeKdN2PrlZR8 QNST+C11+cKw/rYAPmvd5SOzzQC6IS4wcaXNspSKjp2Sq/wSdLytOzT/Soq2S1zFPSFX 3xjXPbcu0AfGpjxAIO92wSlWYgRpYH/9OH6cB+m/pGxKj/Jj7PP2Vh6TNLBUeBZzYvAm tMjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4iMcp3n9Gh64JZ2eBQpXe2D+MAlr+nE0m2pDHNj+tbI=; b=lZHVJeHBi6BQWtHy89EhaN3frnWzn4bWtN/bAk3Yb8ZnSGSjFljfHAHlpCQoDX4Q1U euUim5QMOoW9sIh2o+/brJLFdVMh5kBApJTvtL8nh/2laRwUjC8ddGThpl3M2m4GuIYz WFspDMYzauA0C3rFXdDueyGYq3TbWWhOriRVwNzucvRDbBSPvF8FcCxdTH1WsT3b5UF6 cjPMc4LtFsgujTa1Jq6CrgI72dbcdMav3I7fwQCyIN4ati02yWe1CQt3EYue5rFJc052 97BuJDIHeUmBLfz2BZzIDFa5lOPBADxKKYUSlPXOKqc7Ug5x+5pfkiY00Az+wbCI/Gq7 UqBQ== X-Gm-Message-State: AEkoouuDIhuwvSynVK7N+OdUd8dm1+V8F2SChOe/a2mmEIKfPAujigVYDTeCnMSaVBhbWcaAP/6rWBAqqHzx6uDx X-Received: by 10.107.3.70 with SMTP id 67mr13316660iod.97.1470927010424; Thu, 11 Aug 2016 07:50:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.167.21 with HTTP; Thu, 11 Aug 2016 07:49:49 -0700 (PDT) From: David Benjamin Date: Thu, 11 Aug 2016 10:49:49 -0400 Message-ID: Subject: [PATCH] OpenSSL: Fix OpenSSL 1.1.0 compatibility functions To: hostap@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160811_075031_943948_42138F33 X-CRM114-Status: GOOD ( 13.20 ) X-Spam-Score: -4.1 (----) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-4.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2607:f8b0:4001:c06:0:0:0:233 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Attached since my mail client will probably mess it up otherwise. To be consistent with OpenSSL 1.1.0, the free functions should internally check for NULL. EVP_MD_CTX_free also was missing an EVP_MD_CTX_cleanup, so this leaked a little. OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace with get_rfc3526_prime_1536 as a compatibility-only name. Use that instead in 1.1.0. Note this patch checks OPENSSL_VERSION_NUMBER for BN_get_rfc3526_prime_1536 before OPENSSL_IS_BORINGSSL. This is intentional. BoringSSL currently claims to be 1.0.2, so this won't break existing BoringSSL's. Eventually we hope to claim 1.1.0 compatibility. I think we originally omitted get_rfc3526_prime_1536 because it was unnamespaced, but BN_get_rfc3526_prime_1536 is a fine name so, when we claim 1.1.0, that function will exist and you won't need the extra implementation. I'll leave it to you all to decide when you drop support for older AOSP releases, but my hope is that you can drop that ifdef, the SSL_get_client_random one (sorry about that one!), and possibly others, in time, and just rely on the advertised version number being accurate. (Right now we're this awkward mix of mostly 1.0.2 with bits of 1.1.0.) You'll probably want to confirm I haven't broken 1.1.0. I've only compile-tested this in Android. David From dc7c9214d7c4db3ff019706df2f0b06c0f2baeef Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Wed, 10 Aug 2016 13:28:45 -0400 Subject: [PATCH] OpenSSL: Fix OpenSSL 1.1.0 compatibility functions To be consistent with OpenSSL 1.1.0, the free functions should internally check for NULL. EVP_MD_CTX_free also was missing an EVP_MD_CTX_cleanup, so this leaked a little. OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace with get_rfc3526_prime_1536 as a compatibility-only name. Use that instead in 1.1.0. Signed-off-by: David Benjamin --- src/crypto/crypto_openssl.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index 7f33686..19e0e2b 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -49,6 +49,8 @@ static HMAC_CTX * HMAC_CTX_new(void) static void HMAC_CTX_free(HMAC_CTX *ctx) { + if (!ctx) + return; HMAC_CTX_cleanup(ctx); bin_clear_free(ctx, sizeof(*ctx)); } @@ -67,6 +69,9 @@ static EVP_MD_CTX * EVP_MD_CTX_new(void) static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) { + if (!ctx) + return; + EVP_MD_CTX_cleanup(ctx); bin_clear_free(ctx, sizeof(*ctx)); } @@ -74,7 +79,11 @@ static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) static BIGNUM * get_group5_prime(void) { -#ifdef OPENSSL_IS_BORINGSSL +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + return BN_get_rfc3526_prime_1536(NULL); +#elif !defined(OPENSSL_IS_BORINGSSL) + return get_rfc3526_prime_1536(NULL); +#else static const unsigned char RFC3526_PRIME_1536[] = { 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, @@ -94,9 +103,7 @@ static BIGNUM * get_group5_prime(void) 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, }; return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL); -#else /* OPENSSL_IS_BORINGSSL */ - return get_rfc3526_prime_1536(NULL); -#endif /* OPENSSL_IS_BORINGSSL */ +#endif } #ifdef OPENSSL_NO_SHA256 -- 2.8.0.rc3.226.g39d4020