diff options
-rw-r--r-- | src/mongo/crypto/crypto_openssl.cpp | 33 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 15 |
2 files changed, 38 insertions, 10 deletions
diff --git a/src/mongo/crypto/crypto_openssl.cpp b/src/mongo/crypto/crypto_openssl.cpp index 5c552826090..bdcb23402cd 100644 --- a/src/mongo/crypto/crypto_openssl.cpp +++ b/src/mongo/crypto/crypto_openssl.cpp @@ -30,16 +30,36 @@ #include "mongo/config.h" #include "mongo/crypto/crypto.h" +#include "mongo/stdx/memory.h" #include "mongo/util/assert_util.h" -#include "mongo/util/scopeguard.h" #ifndef MONGO_CONFIG_SSL #error This file should only be included in SSL-enabled builds #endif +#include <cstring> #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/sha.h> +#if OPENSSL_VERSION_NUMBER < 0x10100000L +namespace { +// Copies of OpenSSL after 1.1.0 define new EVP digest routines. We must +// polyfill used definitions to interact with older OpenSSL versions. +EVP_MD_CTX* EVP_MD_CTX_new() { + void* ret = OPENSSL_malloc(sizeof(EVP_MD_CTX)); + + if (ret != NULL) { + memset(ret, 0, sizeof(EVP_MD_CTX)); + } + return static_cast<EVP_MD_CTX*>(ret); +} + +void EVP_MD_CTX_free(EVP_MD_CTX* ctx) { + EVP_MD_CTX_cleanup(ctx); + OPENSSL_free(ctx); +} +} // namespace +#endif namespace mongo { namespace crypto { @@ -49,14 +69,13 @@ namespace crypto { SHA1Hash sha1(const unsigned char* input, const size_t inputLen) { SHA1Hash output; - EVP_MD_CTX digestCtx; - EVP_MD_CTX_init(&digestCtx); - ON_BLOCK_EXIT(EVP_MD_CTX_cleanup, &digestCtx); + std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)> digestCtx(EVP_MD_CTX_new(), + EVP_MD_CTX_free); fassert(40379, - EVP_DigestInit_ex(&digestCtx, EVP_sha1(), NULL) == 1 && - EVP_DigestUpdate(&digestCtx, input, inputLen) == 1 && - EVP_DigestFinal_ex(&digestCtx, output.data(), NULL) == 1); + EVP_DigestInit_ex(digestCtx.get(), EVP_sha1(), NULL) == 1 && + EVP_DigestUpdate(digestCtx.get(), input, inputLen) == 1 && + EVP_DigestFinal_ex(digestCtx.get(), output.data(), NULL) == 1); return output; } diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index ed70d6b96a4..75aaba0394d 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -125,6 +125,15 @@ IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(ASN1_SEQUENCE_ANY, ASN1_SET_ANY, ASN #endif // MONGO_CONFIG_NEEDS_ASN1_ANY_DEFINITIONS // clang-format on +#if OPENSSL_VERSION_NUMBER < 0x10100000L +// Copies of OpenSSL after 1.1.0 define new functions for interaction with +// X509 structure. We must polyfill used definitions to interact with older +// OpenSSL versions. +const STACK_OF(X509_EXTENSION) * X509_get0_extensions(const X509* peerCert) { + return peerCert->cert_info->extensions; +} +#endif + /** * Multithreaded Support for SSL. * @@ -754,7 +763,7 @@ bool SSLManager::_parseAndValidateCertificate(const std::string& keyFile, const std::string& keyPassword, std::string* subjectName, Date_t* serverCertificateExpirationDate) { - BIO* inBIO = BIO_new(BIO_s_file_internal()); + BIO* inBIO = BIO_new(BIO_s_file()); if (inBIO == NULL) { error() << "failed to allocate BIO object: " << getSSLErrorMessage(ERR_get_error()); return false; @@ -813,7 +822,7 @@ bool SSLManager::_setupPEM(SSL_CTX* context, return false; } - BIO* inBio = BIO_new(BIO_s_file_internal()); + BIO* inBio = BIO_new(BIO_s_file()); if (!inBio) { error() << "failed to allocate BIO object: " << getSSLErrorMessage(ERR_get_error()); return false; @@ -1291,7 +1300,7 @@ SSLPeerInfo SSLManager::parseAndValidatePeerCertificateDeprecated(const SSLConne StatusWith<stdx::unordered_set<RoleName>> SSLManager::_parsePeerRoles(X509* peerCert) const { // exts is owned by the peerCert - STACK_OF(X509_EXTENSION)* exts = peerCert->cert_info->extensions; + const STACK_OF(X509_EXTENSION)* exts = X509_get0_extensions(peerCert); int extCount = 0; if (exts) { |