From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 18 Nov 2016 18:08:56 +0000 (+0200)
Subject: Do not use HMAC_CTX_init
X-Git-Tag: release_3_0_13~92^2~6
X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=d2b119e9cd5f20dd900079b414104be9ab70d349;p=freeradius.git

Do not use HMAC_CTX_init

Switch to using HMAC_CTX_new in place of HMAC_CTX_init, which was
removed in OpenSSL 1.1, resulting in broken build.
---

diff --git a/src/modules/rlm_eap/libeap/mppe_keys.c b/src/modules/rlm_eap/libeap/mppe_keys.c
index 549183e..1de3447 100644
--- a/src/modules/rlm_eap/libeap/mppe_keys.c
+++ b/src/modules/rlm_eap/libeap/mppe_keys.c
@@ -37,51 +37,51 @@ static void P_hash(EVP_MD const *evp_md,
 		   unsigned char const *seed,   unsigned int seed_len,
 		   unsigned char *out, unsigned int out_len)
 {
-	HMAC_CTX ctx_a, ctx_out;
+	HMAC_CTX *ctx_a, *ctx_out;
 	unsigned char a[HMAC_MAX_MD_CBLOCK];
 	unsigned int size;
 
-	HMAC_CTX_init(&ctx_a);
-	HMAC_CTX_init(&ctx_out);
+	ctx_a = HMAC_CTX_new();
+	ctx_out = HMAC_CTX_new();
 #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-	HMAC_CTX_set_flags(&ctx_a, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-	HMAC_CTX_set_flags(&ctx_out, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+	HMAC_CTX_set_flags(ctx_a, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+	HMAC_CTX_set_flags(ctx_out, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 #endif
-	HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL);
-	HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL);
+	HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL);
+	HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL);
 
-	size = HMAC_size(&ctx_out);
+	size = HMAC_size(ctx_out);
 
 	/* Calculate A(1) */
-	HMAC_Update(&ctx_a, seed, seed_len);
-	HMAC_Final(&ctx_a, a, NULL);
+	HMAC_Update(ctx_a, seed, seed_len);
+	HMAC_Final(ctx_a, a, NULL);
 
 	while (1) {
 		/* Calculate next part of output */
-		HMAC_Update(&ctx_out, a, size);
-		HMAC_Update(&ctx_out, seed, seed_len);
+		HMAC_Update(ctx_out, a, size);
+		HMAC_Update(ctx_out, seed, seed_len);
 
 		/* Check if last part */
 		if (out_len < size) {
-			HMAC_Final(&ctx_out, a, NULL);
+			HMAC_Final(ctx_out, a, NULL);
 			memcpy(out, a, out_len);
 			break;
 		}
 
 		/* Place digest in output buffer */
-		HMAC_Final(&ctx_out, out, NULL);
-		HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL);
+		HMAC_Final(ctx_out, out, NULL);
+		HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL);
 		out += size;
 		out_len -= size;
 
 		/* Calculate next A(i) */
-		HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL);
-		HMAC_Update(&ctx_a, a, size);
-		HMAC_Final(&ctx_a, a, NULL);
+		HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL);
+		HMAC_Update(ctx_a, a, size);
+		HMAC_Final(ctx_a, a, NULL);
 	}
 
-	HMAC_CTX_cleanup(&ctx_a);
-	HMAC_CTX_cleanup(&ctx_out);
+	HMAC_CTX_free(ctx_a);
+	HMAC_CTX_free(ctx_out);
 	memset(a, 0, sizeof(a));
 }
 
diff --git a/src/modules/rlm_otp/otp_radstate.c b/src/modules/rlm_otp/otp_radstate.c
index 868be6a..afde594 100644
--- a/src/modules/rlm_otp/otp_radstate.c
+++ b/src/modules/rlm_otp/otp_radstate.c
@@ -110,7 +110,7 @@ size_t otp_gen_state(char state[OTP_MAX_RADSTATE_LEN],
 		     size_t clen,
 		     int32_t flags, int32_t when, uint8_t const key[16])
 {
-	HMAC_CTX hmac_ctx;
+	HMAC_CTX *hmac_ctx;
 	uint8_t hmac[MD5_DIGEST_LENGTH];
 	char *p;
 
@@ -120,13 +120,13 @@ size_t otp_gen_state(char state[OTP_MAX_RADSTATE_LEN],
 	 *	having to collect the data to be signed into one
 	 *	contiguous piece.
 	 */
-	HMAC_CTX_init(&hmac_ctx);
-	HMAC_Init(&hmac_ctx, key, sizeof(key[0]) * 16, EVP_md5());
-	HMAC_Update(&hmac_ctx, (uint8_t const *) challenge, clen);
-	HMAC_Update(&hmac_ctx, (uint8_t *) &flags, 4);
-	HMAC_Update(&hmac_ctx, (uint8_t *) &when, 4);
-	HMAC_Final(&hmac_ctx, hmac, NULL);
-	HMAC_cleanup(&hmac_ctx);
+	hmac_ctx = HMAC_CTX_new();
+	HMAC_Init(hmac_ctx, key, sizeof(key[0]) * 16, EVP_md5());
+	HMAC_Update(hmac_ctx, (uint8_t const *) challenge, clen);
+	HMAC_Update(hmac_ctx, (uint8_t *) &flags, 4);
+	HMAC_Update(hmac_ctx, (uint8_t *) &when, 4);
+	HMAC_Final(hmac_ctx, hmac, NULL);
+	HMAC_CTX_free(hmac_ctx);
 
 	/*
 	 *	Generate the state.
diff --git a/src/modules/rlm_wimax/rlm_wimax.c b/src/modules/rlm_wimax/rlm_wimax.c
index 531dc0e..f0fb394 100644
--- a/src/modules/rlm_wimax/rlm_wimax.c
+++ b/src/modules/rlm_wimax/rlm_wimax.c
@@ -121,7 +121,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
 	rlm_wimax_t *inst = instance;
 	VALUE_PAIR *msk, *emsk, *vp;
 	VALUE_PAIR *mn_nai, *ip, *fa_rk;
-	HMAC_CTX hmac;
+	HMAC_CTX *hmac;
 	unsigned int rk1_len, rk2_len, rk_len;
 	uint32_t mip_spi;
 	uint8_t usage_data[24];
@@ -160,20 +160,20 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
 	/*
 	 *	MIP-RK-1 = HMAC-SSHA256(EMSK, usage-data | 0x01)
 	 */
-	HMAC_CTX_init(&hmac);
-	HMAC_Init_ex(&hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL);
+	hmac = HMAC_CTX_new();
+	HMAC_Init_ex(hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL);
 
-	HMAC_Update(&hmac, &usage_data[0], sizeof(usage_data));
-	HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+	HMAC_Update(hmac, &usage_data[0], sizeof(usage_data));
+	HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
 	/*
 	 *	MIP-RK-2 = HMAC-SSHA256(EMSK, MIP-RK-1 | usage-data | 0x01)
 	 */
-	HMAC_Init_ex(&hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL);
+	HMAC_Init_ex(hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL);
 
-	HMAC_Update(&hmac, (uint8_t const *) &mip_rk_1, rk1_len);
-	HMAC_Update(&hmac, &usage_data[0], sizeof(usage_data));
-	HMAC_Final(&hmac, &mip_rk_2[0], &rk2_len);
+	HMAC_Update(hmac, (uint8_t const *) &mip_rk_1, rk1_len);
+	HMAC_Update(hmac, &usage_data[0], sizeof(usage_data));
+	HMAC_Final(hmac, &mip_rk_2[0], &rk2_len);
 
 	memcpy(mip_rk, mip_rk_1, rk1_len);
 	memcpy(mip_rk + rk1_len, mip_rk_2, rk2_len);
@@ -182,10 +182,10 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
 	/*
 	 *	MIP-SPI = HMAC-SSHA256(MIP-RK, "SPI CMIP PMIP");
 	 */
-	HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha256(), NULL);
+	HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha256(), NULL);
 
-	HMAC_Update(&hmac, (uint8_t const *) "SPI CMIP PMIP", 12);
-	HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+	HMAC_Update(hmac, (uint8_t const *) "SPI CMIP PMIP", 12);
+	HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
 	/*
 	 *	Take the 4 most significant octets.
@@ -245,12 +245,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
 		 *	MN-HA-PMIP4 =
 		 *	   H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI);
 		 */
-		HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL);
+		HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL);
 
-		HMAC_Update(&hmac, (uint8_t const *) "PMIP4 MN HA", 11);
-		HMAC_Update(&hmac, (uint8_t const *) &ip->vp_ipaddr, 4);
-		HMAC_Update(&hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
-		HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+		HMAC_Update(hmac, (uint8_t const *) "PMIP4 MN HA", 11);
+		HMAC_Update(hmac, (uint8_t const *) &ip->vp_ipaddr, 4);
+		HMAC_Update(hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
+		HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
 		/*
 		 *	Put MN-HA-PMIP4 into WiMAX-MN-hHA-MIP4-Key
@@ -295,12 +295,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
 		 *	MN-HA-CMIP4 =
 		 *	   H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI);
 		 */
-		HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL);
+		HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL);
 
-		HMAC_Update(&hmac, (uint8_t const *) "CMIP4 MN HA", 11);
-		HMAC_Update(&hmac, (uint8_t const *) &ip->vp_ipaddr, 4);
-		HMAC_Update(&hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
-		HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+		HMAC_Update(hmac, (uint8_t const *) "CMIP4 MN HA", 11);
+		HMAC_Update(hmac, (uint8_t const *) &ip->vp_ipaddr, 4);
+		HMAC_Update(hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
+		HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
 		/*
 		 *	Put MN-HA-CMIP4 into WiMAX-MN-hHA-MIP4-Key
@@ -345,12 +345,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
 		 *	MN-HA-CMIP6 =
 		 *	   H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI);
 		 */
-		HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL);
+		HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL);
 
-		HMAC_Update(&hmac, (uint8_t const *) "CMIP6 MN HA", 11);
-		HMAC_Update(&hmac, (uint8_t const *) &ip->vp_ipv6addr, 16);
-		HMAC_Update(&hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
-		HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+		HMAC_Update(hmac, (uint8_t const *) "CMIP6 MN HA", 11);
+		HMAC_Update(hmac, (uint8_t const *) &ip->vp_ipv6addr, 16);
+		HMAC_Update(hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
+		HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
 		/*
 		 *	Put MN-HA-CMIP6 into WiMAX-MN-hHA-MIP6-Key
@@ -392,11 +392,11 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
 	 */
 	fa_rk = fr_pair_find_by_num(request->reply->vps, 14, VENDORPEC_WIMAX, TAG_ANY);
 	if (fa_rk && (fa_rk->vp_length <= 1)) {
-		HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL);
+		HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL);
 
-		HMAC_Update(&hmac, (uint8_t const *) "FA-RK", 5);
+		HMAC_Update(hmac, (uint8_t const *) "FA-RK", 5);
 
-		HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+		HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
 		fr_pair_value_memcpy(fa_rk, &mip_rk_1[0], rk1_len);
 	}
@@ -450,7 +450,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
 	/*
 	 *	Wipe the context of all sensitive information.
 	 */
-	HMAC_CTX_cleanup(&hmac);
+	HMAC_CTX_free(hmac);
 
 	return RLM_MODULE_UPDATED;
 }