Do not use HMAC_CTX_init

Switch to using HMAC_CTX_new in place of HMAC_CTX_init, which was
removed in OpenSSL 1.1, resulting in broken build.

diff --git a/src/modules/rlm_eap/libeap/mppe_keys.c b/src/modules/rlm_eap/libeap/mppe_keys.c
index 549183e..1de3447 100644 (file)
--- a/src/modules/rlm_eap/libeap/mppe_keys.c
+++ b/src/modules/rlm_eap/libeap/mppe_keys.c
@@ -37,51 +37,51 @@ static void P_hash(EVP_MD const *evp_md,
                   unsigned char const *seed,   unsigned int seed_len,
                   unsigned char *out, unsigned int out_len)
 {
-       HMAC_CTX ctx_a, ctx_out;
+       HMAC_CTX *ctx_a, *ctx_out;
        unsigned char a[HMAC_MAX_MD_CBLOCK];
        unsigned int size;
 
-       HMAC_CTX_init(&ctx_a);
-       HMAC_CTX_init(&ctx_out);
+       ctx_a = HMAC_CTX_new();
+       ctx_out = HMAC_CTX_new();
 #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-       HMAC_CTX_set_flags(&ctx_a, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-       HMAC_CTX_set_flags(&ctx_out, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+       HMAC_CTX_set_flags(ctx_a, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+       HMAC_CTX_set_flags(ctx_out, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 #endif
-       HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL);
-       HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL);
+       HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL);
+       HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL);
 
-       size = HMAC_size(&ctx_out);
+       size = HMAC_size(ctx_out);
 
        /* Calculate A(1) */
-       HMAC_Update(&ctx_a, seed, seed_len);
-       HMAC_Final(&ctx_a, a, NULL);
+       HMAC_Update(ctx_a, seed, seed_len);
+       HMAC_Final(ctx_a, a, NULL);
 
        while (1) {
                /* Calculate next part of output */
-               HMAC_Update(&ctx_out, a, size);
-               HMAC_Update(&ctx_out, seed, seed_len);
+               HMAC_Update(ctx_out, a, size);
+               HMAC_Update(ctx_out, seed, seed_len);
 
                /* Check if last part */
                if (out_len < size) {
-                       HMAC_Final(&ctx_out, a, NULL);
+                       HMAC_Final(ctx_out, a, NULL);
                        memcpy(out, a, out_len);
                        break;
                }
 
                /* Place digest in output buffer */
-               HMAC_Final(&ctx_out, out, NULL);
-               HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL);
+               HMAC_Final(ctx_out, out, NULL);
+               HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL);
                out += size;
                out_len -= size;
 
                /* Calculate next A(i) */
-               HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL);
-               HMAC_Update(&ctx_a, a, size);
-               HMAC_Final(&ctx_a, a, NULL);
+               HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL);
+               HMAC_Update(ctx_a, a, size);
+               HMAC_Final(ctx_a, a, NULL);
        }
 
-       HMAC_CTX_cleanup(&ctx_a);
-       HMAC_CTX_cleanup(&ctx_out);
+       HMAC_CTX_free(ctx_a);
+       HMAC_CTX_free(ctx_out);
        memset(a, 0, sizeof(a));
 }
 

diff --git a/src/modules/rlm_otp/otp_radstate.c b/src/modules/rlm_otp/otp_radstate.c
index 868be6a..afde594 100644 (file)
--- a/src/modules/rlm_otp/otp_radstate.c
+++ b/src/modules/rlm_otp/otp_radstate.c
@@ -110,7 +110,7 @@ size_t otp_gen_state(char state[OTP_MAX_RADSTATE_LEN],
                     size_t clen,
                     int32_t flags, int32_t when, uint8_t const key[16])
 {
-       HMAC_CTX hmac_ctx;
+       HMAC_CTX *hmac_ctx;
        uint8_t hmac[MD5_DIGEST_LENGTH];
        char *p;
 
@@ -120,13 +120,13 @@ size_t otp_gen_state(char state[OTP_MAX_RADSTATE_LEN],
         *      having to collect the data to be signed into one
         *      contiguous piece.
         */
-       HMAC_CTX_init(&hmac_ctx);
-       HMAC_Init(&hmac_ctx, key, sizeof(key[0]) * 16, EVP_md5());
-       HMAC_Update(&hmac_ctx, (uint8_t const *) challenge, clen);
-       HMAC_Update(&hmac_ctx, (uint8_t *) &flags, 4);
-       HMAC_Update(&hmac_ctx, (uint8_t *) &when, 4);
-       HMAC_Final(&hmac_ctx, hmac, NULL);
-       HMAC_cleanup(&hmac_ctx);
+       hmac_ctx = HMAC_CTX_new();
+       HMAC_Init(hmac_ctx, key, sizeof(key[0]) * 16, EVP_md5());
+       HMAC_Update(hmac_ctx, (uint8_t const *) challenge, clen);
+       HMAC_Update(hmac_ctx, (uint8_t *) &flags, 4);
+       HMAC_Update(hmac_ctx, (uint8_t *) &when, 4);
+       HMAC_Final(hmac_ctx, hmac, NULL);
+       HMAC_CTX_free(hmac_ctx);
 
        /*
         *      Generate the state.

diff --git a/src/modules/rlm_wimax/rlm_wimax.c b/src/modules/rlm_wimax/rlm_wimax.c
index 531dc0e..f0fb394 100644 (file)
--- a/src/modules/rlm_wimax/rlm_wimax.c
+++ b/src/modules/rlm_wimax/rlm_wimax.c
@@ -121,7 +121,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
        rlm_wimax_t *inst = instance;
        VALUE_PAIR *msk, *emsk, *vp;
        VALUE_PAIR *mn_nai, *ip, *fa_rk;
-       HMAC_CTX hmac;
+       HMAC_CTX *hmac;
        unsigned int rk1_len, rk2_len, rk_len;
        uint32_t mip_spi;
        uint8_t usage_data[24];
@@ -160,20 +160,20 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
        /*
         *      MIP-RK-1 = HMAC-SSHA256(EMSK, usage-data | 0x01)
         */
-       HMAC_CTX_init(&hmac);
-       HMAC_Init_ex(&hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL);
+       hmac = HMAC_CTX_new();
+       HMAC_Init_ex(hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL);
 
-       HMAC_Update(&hmac, &usage_data[0], sizeof(usage_data));
-       HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+       HMAC_Update(hmac, &usage_data[0], sizeof(usage_data));
+       HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
        /*
         *      MIP-RK-2 = HMAC-SSHA256(EMSK, MIP-RK-1 | usage-data | 0x01)
         */
-       HMAC_Init_ex(&hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL);
+       HMAC_Init_ex(hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL);
 
-       HMAC_Update(&hmac, (uint8_t const *) &mip_rk_1, rk1_len);
-       HMAC_Update(&hmac, &usage_data[0], sizeof(usage_data));
-       HMAC_Final(&hmac, &mip_rk_2[0], &rk2_len);
+       HMAC_Update(hmac, (uint8_t const *) &mip_rk_1, rk1_len);
+       HMAC_Update(hmac, &usage_data[0], sizeof(usage_data));
+       HMAC_Final(hmac, &mip_rk_2[0], &rk2_len);
 
        memcpy(mip_rk, mip_rk_1, rk1_len);
        memcpy(mip_rk + rk1_len, mip_rk_2, rk2_len);
@@ -182,10 +182,10 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
        /*
         *      MIP-SPI = HMAC-SSHA256(MIP-RK, "SPI CMIP PMIP");
         */
-       HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha256(), NULL);
+       HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha256(), NULL);
 
-       HMAC_Update(&hmac, (uint8_t const *) "SPI CMIP PMIP", 12);
-       HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+       HMAC_Update(hmac, (uint8_t const *) "SPI CMIP PMIP", 12);
+       HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
        /*
         *      Take the 4 most significant octets.
@@ -245,12 +245,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
                 *      MN-HA-PMIP4 =
                 *         H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI);
                 */
-               HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL);
+               HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL);
 
-               HMAC_Update(&hmac, (uint8_t const *) "PMIP4 MN HA", 11);
-               HMAC_Update(&hmac, (uint8_t const *) &ip->vp_ipaddr, 4);
-               HMAC_Update(&hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
-               HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+               HMAC_Update(hmac, (uint8_t const *) "PMIP4 MN HA", 11);
+               HMAC_Update(hmac, (uint8_t const *) &ip->vp_ipaddr, 4);
+               HMAC_Update(hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
+               HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
                /*
                 *      Put MN-HA-PMIP4 into WiMAX-MN-hHA-MIP4-Key
@@ -295,12 +295,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
                 *      MN-HA-CMIP4 =
                 *         H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI);
                 */
-               HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL);
+               HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL);
 
-               HMAC_Update(&hmac, (uint8_t const *) "CMIP4 MN HA", 11);
-               HMAC_Update(&hmac, (uint8_t const *) &ip->vp_ipaddr, 4);
-               HMAC_Update(&hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
-               HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+               HMAC_Update(hmac, (uint8_t const *) "CMIP4 MN HA", 11);
+               HMAC_Update(hmac, (uint8_t const *) &ip->vp_ipaddr, 4);
+               HMAC_Update(hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
+               HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
                /*
                 *      Put MN-HA-CMIP4 into WiMAX-MN-hHA-MIP4-Key
@@ -345,12 +345,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
                 *      MN-HA-CMIP6 =
                 *         H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI);
                 */
-               HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL);
+               HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL);
 
-               HMAC_Update(&hmac, (uint8_t const *) "CMIP6 MN HA", 11);
-               HMAC_Update(&hmac, (uint8_t const *) &ip->vp_ipv6addr, 16);
-               HMAC_Update(&hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
-               HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+               HMAC_Update(hmac, (uint8_t const *) "CMIP6 MN HA", 11);
+               HMAC_Update(hmac, (uint8_t const *) &ip->vp_ipv6addr, 16);
+               HMAC_Update(hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length);
+               HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
                /*
                 *      Put MN-HA-CMIP6 into WiMAX-MN-hHA-MIP6-Key
@@ -392,11 +392,11 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
         */
        fa_rk = fr_pair_find_by_num(request->reply->vps, 14, VENDORPEC_WIMAX, TAG_ANY);
        if (fa_rk && (fa_rk->vp_length <= 1)) {
-               HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL);
+               HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL);
 
-               HMAC_Update(&hmac, (uint8_t const *) "FA-RK", 5);
+               HMAC_Update(hmac, (uint8_t const *) "FA-RK", 5);
 
-               HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len);
+               HMAC_Final(hmac, &mip_rk_1[0], &rk1_len);
 
                fr_pair_value_memcpy(fa_rk, &mip_rk_1[0], rk1_len);
        }
@@ -450,7 +450,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, REQUEST *reque
        /*
         *      Wipe the context of all sensitive information.
         */
-       HMAC_CTX_cleanup(&hmac);
+       HMAC_CTX_free(hmac);
 
        return RLM_MODULE_UPDATED;
 }