OpenSSL 1.1 compatibility
Description
Environment
Attachments
- 03 Jan 2017, 03:46 PM
- 03 Jan 2017, 03:45 PM
duplicates
Activity
I think we're done on this, just a matter of getting all of it shipped with 3.0
I think that this is done, but I'll leave it open in case there is non windows install stuff I know not the what of.
Pushed over as r1777158
In doing some end to end testing with Shib I discovered an issue with code which looks like this
// We have everything, so we can fully init.
EVP_CipherInit(mp_ctx, EVP_aes_256_gcm(), NULL, NULL, 0);
EVP_CIPHER_CTX_ctrl(mp_ctx, EVP_CTRL_GCM_SET_IVLEN, 12, NULL);
EVP_CIPHER_CTX_ctrl(mp_ctx, EVP_CTRL_GCM_SET_TAG, 16, (void*)m_tagBuf.rawBuffer());
EVP_CipherInit(mp_ctx, NULL, m_keyBuf.rawBuffer(), iv, 0);because in OpenSSL EVP_CipherInit does a EVP_CIPHER_CTX_reset(ctx); and then calls EVP_CipherInit_ex So we end up with a destroyed mp_ctx.
Thanks guys.
I have pushed (to the DEC10 stream of the usual place) a fix (to call the _ex variant directly). Also attached is a patch and the changed file.
> this would be a 1.8 library bump for xmlsec?
Yup. If it wasn't for the fact that its because of a libs minor version bump one could make a case for it being a 1.7.whatever.
> No pure virtual methods added to existing classes, and no classes or methods removed?
none.
One new class and two private methods for existing classes.
Starting to get questions about getting things to build on OpenSSL 1.1. There are going to be changes needed to xmltooling and Santuario, but I'm more concerned that if the structures become opaque, we may be dead in the water in certain areas.
Once we know the scope of the changes we can assess whether the functionality we lose is used by the SP or not. I'm not optimistic.
Support for 1.0.2 is through 2019, though obviously specific disttributions may jump the gun and create problems.