diff options
author | Junio C Hamano <gitster@pobox.com> | 2016-05-06 14:53:24 -0700 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2016-05-06 14:53:24 -0700 |
commit | a0c9cf51c0ba6ca30f7325bc035200010f2c50f7 (patch) | |
tree | bf0c43cc8490b45e7cd753f1ec1254265f9506ff | |
parent | 8854ded7af794c10cc68957dbdd4c636811b97fa (diff) | |
parent | 1245c74936d5803415306ade3c5050614a26af4e (diff) | |
download | git-a0c9cf51c0ba6ca30f7325bc035200010f2c50f7.tar.gz |
Merge branch 'ky/imap-send-openssl-1.1.0' into maint
Upcoming OpenSSL 1.1.0 will break compilation b updating a few APIs
we use in imap-send, which has been adjusted for the change.
* ky/imap-send-openssl-1.1.0:
configure: remove checking for HMAC_CTX_cleanup
imap-send: avoid deprecated TLSv1_method()
imap-send: check NULL return of SSL_CTX_new()
imap-send: use HMAC() function provided by OpenSSL
-rw-r--r-- | Makefile | 6 | ||||
-rw-r--r-- | compat/apple-common-crypto.h | 16 | ||||
-rw-r--r-- | configure.ac | 4 | ||||
-rw-r--r-- | git-compat-util.h | 3 | ||||
-rw-r--r-- | imap-send.c | 20 |
5 files changed, 21 insertions, 28 deletions
@@ -355,9 +355,6 @@ all:: # # Define HAVE_CLOCK_MONOTONIC if your platform has CLOCK_MONOTONIC in librt. # -# Define NO_HMAC_CTX_CLEANUP if your OpenSSL is version 0.9.6b or earlier to -# cleanup the HMAC context with the older HMAC_cleanup function. -# # Define USE_PARENS_AROUND_GETTEXT_N to "yes" if your compiler happily # compiles the following initialization: # @@ -1138,9 +1135,6 @@ ifndef NO_OPENSSL ifdef NEEDS_CRYPTO_WITH_SSL OPENSSL_LIBSSL += -lcrypto endif - ifdef NO_HMAC_CTX_CLEANUP - BASIC_CFLAGS += -DNO_HMAC_CTX_CLEANUP - endif else BASIC_CFLAGS += -DNO_OPENSSL BLK_SHA1 = 1 diff --git a/compat/apple-common-crypto.h b/compat/apple-common-crypto.h index d3fb264181..11727f3e1e 100644 --- a/compat/apple-common-crypto.h +++ b/compat/apple-common-crypto.h @@ -3,12 +3,18 @@ #define HEADER_HMAC_H #define HEADER_SHA_H #include <CommonCrypto/CommonHMAC.h> -#define HMAC_CTX CCHmacContext -#define HMAC_Init(hmac, key, len, algo) CCHmacInit(hmac, algo, key, len) -#define HMAC_Update CCHmacUpdate -#define HMAC_Final(hmac, hash, ptr) CCHmacFinal(hmac, hash) -#define HMAC_CTX_cleanup(ignore) #define EVP_md5(...) kCCHmacAlgMD5 +/* CCHmac doesn't take md_len and the return type is void */ +#define HMAC git_CC_HMAC +static inline unsigned char *git_CC_HMAC(CCHmacAlgorithm alg, + const void *key, int key_len, + const unsigned char *data, size_t data_len, + unsigned char *md, unsigned int *md_len) +{ + CCHmac(alg, key, key_len, data, data_len, md); + return md; +} + #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070 #define APPLE_LION_OR_NEWER #include <Security/Security.h> diff --git a/configure.ac b/configure.ac index 0cd9f4680b..c279025747 100644 --- a/configure.ac +++ b/configure.ac @@ -970,10 +970,6 @@ AC_CHECK_LIB([iconv], [locale_charset], [CHARSET_LIB=-lcharset])]) GIT_CONF_SUBST([CHARSET_LIB]) # -# Define NO_HMAC_CTX_CLEANUP=YesPlease if HMAC_CTX_cleanup is missing. -AC_CHECK_LIB([crypto], [HMAC_CTX_cleanup], - [], [GIT_CONF_SUBST([NO_HMAC_CTX_CLEANUP], [YesPlease])]) -# # Define HAVE_CLOCK_GETTIME=YesPlease if clock_gettime is available. GIT_CHECK_FUNC(clock_gettime, [HAVE_CLOCK_GETTIME=YesPlease], diff --git a/git-compat-util.h b/git-compat-util.h index 474395471f..1f8b5f3b1f 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -279,9 +279,6 @@ extern char *gitdirname(char *); #endif #include <openssl/ssl.h> #include <openssl/err.h> -#ifdef NO_HMAC_CTX_CLEANUP -#define HMAC_CTX_cleanup HMAC_cleanup -#endif #endif /* On most systems <netdb.h> would have given us this, but diff --git a/imap-send.c b/imap-send.c index 407e46bc8c..938c691585 100644 --- a/imap-send.c +++ b/imap-send.c @@ -287,17 +287,20 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve SSL_library_init(); SSL_load_error_strings(); - if (use_tls_only) - meth = TLSv1_method(); - else - meth = SSLv23_method(); - + meth = SSLv23_method(); if (!meth) { ssl_socket_perror("SSLv23_method"); return -1; } ctx = SSL_CTX_new(meth); + if (!ctx) { + ssl_socket_perror("SSL_CTX_new"); + return -1; + } + + if (use_tls_only) + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); if (verify) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); @@ -862,7 +865,6 @@ static char hexchar(unsigned int b) static char *cram(const char *challenge_64, const char *user, const char *pass) { int i, resp_len, encoded_len, decoded_len; - HMAC_CTX hmac; unsigned char hash[16]; char hex[33]; char *response, *response_64, *challenge; @@ -877,10 +879,8 @@ static char *cram(const char *challenge_64, const char *user, const char *pass) (unsigned char *)challenge_64, encoded_len); if (decoded_len < 0) die("invalid challenge %s", challenge_64); - HMAC_Init(&hmac, (unsigned char *)pass, strlen(pass), EVP_md5()); - HMAC_Update(&hmac, (unsigned char *)challenge, decoded_len); - HMAC_Final(&hmac, hash, NULL); - HMAC_CTX_cleanup(&hmac); + if (!HMAC(EVP_md5(), pass, strlen(pass), (unsigned char *)challenge, decoded_len, hash, NULL)) + die("HMAC error"); hex[32] = 0; for (i = 0; i < 16; i++) { |