summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/mongo/crypto/crypto_openssl.cpp33
-rw-r--r--src/mongo/util/net/ssl_manager.cpp15
2 files changed, 38 insertions, 10 deletions
diff --git a/src/mongo/crypto/crypto_openssl.cpp b/src/mongo/crypto/crypto_openssl.cpp
index 5c552826090..bdcb23402cd 100644
--- a/src/mongo/crypto/crypto_openssl.cpp
+++ b/src/mongo/crypto/crypto_openssl.cpp
@@ -30,16 +30,36 @@
#include "mongo/config.h"
#include "mongo/crypto/crypto.h"
+#include "mongo/stdx/memory.h"
#include "mongo/util/assert_util.h"
-#include "mongo/util/scopeguard.h"
#ifndef MONGO_CONFIG_SSL
#error This file should only be included in SSL-enabled builds
#endif
+#include <cstring>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/sha.h>
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+namespace {
+// Copies of OpenSSL after 1.1.0 define new EVP digest routines. We must
+// polyfill used definitions to interact with older OpenSSL versions.
+EVP_MD_CTX* EVP_MD_CTX_new() {
+ void* ret = OPENSSL_malloc(sizeof(EVP_MD_CTX));
+
+ if (ret != NULL) {
+ memset(ret, 0, sizeof(EVP_MD_CTX));
+ }
+ return static_cast<EVP_MD_CTX*>(ret);
+}
+
+void EVP_MD_CTX_free(EVP_MD_CTX* ctx) {
+ EVP_MD_CTX_cleanup(ctx);
+ OPENSSL_free(ctx);
+}
+} // namespace
+#endif
namespace mongo {
namespace crypto {
@@ -49,14 +69,13 @@ namespace crypto {
SHA1Hash sha1(const unsigned char* input, const size_t inputLen) {
SHA1Hash output;
- EVP_MD_CTX digestCtx;
- EVP_MD_CTX_init(&digestCtx);
- ON_BLOCK_EXIT(EVP_MD_CTX_cleanup, &digestCtx);
+ std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)> digestCtx(EVP_MD_CTX_new(),
+ EVP_MD_CTX_free);
fassert(40379,
- EVP_DigestInit_ex(&digestCtx, EVP_sha1(), NULL) == 1 &&
- EVP_DigestUpdate(&digestCtx, input, inputLen) == 1 &&
- EVP_DigestFinal_ex(&digestCtx, output.data(), NULL) == 1);
+ EVP_DigestInit_ex(digestCtx.get(), EVP_sha1(), NULL) == 1 &&
+ EVP_DigestUpdate(digestCtx.get(), input, inputLen) == 1 &&
+ EVP_DigestFinal_ex(digestCtx.get(), output.data(), NULL) == 1);
return output;
}
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index ed70d6b96a4..75aaba0394d 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -125,6 +125,15 @@ IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(ASN1_SEQUENCE_ANY, ASN1_SET_ANY, ASN
#endif // MONGO_CONFIG_NEEDS_ASN1_ANY_DEFINITIONS
// clang-format on
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+// Copies of OpenSSL after 1.1.0 define new functions for interaction with
+// X509 structure. We must polyfill used definitions to interact with older
+// OpenSSL versions.
+const STACK_OF(X509_EXTENSION) * X509_get0_extensions(const X509* peerCert) {
+ return peerCert->cert_info->extensions;
+}
+#endif
+
/**
* Multithreaded Support for SSL.
*
@@ -754,7 +763,7 @@ bool SSLManager::_parseAndValidateCertificate(const std::string& keyFile,
const std::string& keyPassword,
std::string* subjectName,
Date_t* serverCertificateExpirationDate) {
- BIO* inBIO = BIO_new(BIO_s_file_internal());
+ BIO* inBIO = BIO_new(BIO_s_file());
if (inBIO == NULL) {
error() << "failed to allocate BIO object: " << getSSLErrorMessage(ERR_get_error());
return false;
@@ -813,7 +822,7 @@ bool SSLManager::_setupPEM(SSL_CTX* context,
return false;
}
- BIO* inBio = BIO_new(BIO_s_file_internal());
+ BIO* inBio = BIO_new(BIO_s_file());
if (!inBio) {
error() << "failed to allocate BIO object: " << getSSLErrorMessage(ERR_get_error());
return false;
@@ -1291,7 +1300,7 @@ SSLPeerInfo SSLManager::parseAndValidatePeerCertificateDeprecated(const SSLConne
StatusWith<stdx::unordered_set<RoleName>> SSLManager::_parsePeerRoles(X509* peerCert) const {
// exts is owned by the peerCert
- STACK_OF(X509_EXTENSION)* exts = peerCert->cert_info->extensions;
+ const STACK_OF(X509_EXTENSION)* exts = X509_get0_extensions(peerCert);
int extCount = 0;
if (exts) {