Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update soter/openssl to fix compatibility with new openssl version #258

Merged
merged 30 commits into from Dec 13, 2017
Merged
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
48b2aea
use pointers instead stack structs
Lagovas Oct 12, 2017
8d6cbf7
fix usage of openssl hash and rsa structs
Lagovas Oct 13, 2017
3ff6a58
update openssl ecdsa sign usage
Lagovas Oct 13, 2017
c17a30e
fix test running with cmake
Lagovas Oct 13, 2017
5397ec8
use explicit initializing digest context with new openssl api
Lagovas Oct 13, 2017
659f2b4
CMakeLists.txt simple non-productions script to build themis/soter/te…
Lagovas Oct 13, 2017
40ba664
fix secure_session tests
Lagovas Dec 6, 2017
2ff5832
fix valgrind check
Lagovas Dec 6, 2017
586a597
fix memory leaks and errors in tests
Lagovas Dec 6, 2017
603c04e
fix leak in old openssl after new changes
Lagovas Dec 7, 2017
fa5de60
install last valgrind on ci
Lagovas Dec 7, 2017
c99a333
fix installing valgrind
Lagovas Dec 7, 2017
45ca6d4
handle stack structs
Lagovas Dec 7, 2017
d2e6cc9
cache valgrind/golang fetching in ci
Lagovas Dec 7, 2017
4f12b69
add valgrind dependency
Lagovas Dec 7, 2017
b134542
restore installing golang
Lagovas Dec 7, 2017
48e6664
test cache on ci
Lagovas Dec 7, 2017
e279fc1
fix check cache
Lagovas Dec 7, 2017
1a48c04
Merge remote-tracking branch 'origin/master' into lagovas/fix-openssl…
Lagovas Dec 8, 2017
ba4b01f
revert using calloc instead malloc
Lagovas Dec 8, 2017
6913bdf
revert themis_secure_session.c test changes
Lagovas Dec 8, 2017
a657557
run nist test via cmakelists
Lagovas Dec 8, 2017
c5a8a71
use stack allocation of soter_hash instead heap in secure_comparator …
Lagovas Dec 8, 2017
4c84fe3
Revert "revert themis_secure_session.c test changes"
Lagovas Dec 8, 2017
3a4c001
run themis tests with boringssl and valgrind
Lagovas Dec 8, 2017
14c63f2
fix memory leak in boringssl/soter_hash
Lagovas Dec 8, 2017
dc5bbd4
Merge branch 'lagovas/fix-openssl-usage' of https://github.com/lagova…
Lagovas Dec 8, 2017
7917b98
drop openssl1.0.2 dependency for stretch
Lagovas Dec 11, 2017
1f854b6
Merge branch 'lagovas/fix-openssl-usage' of https://github.com/Lagova…
Lagovas Dec 11, 2017
7a6ec33
add failure check
Lagovas Dec 13, 2017
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

@@ -0,0 +1,24 @@
project(themis)
cmake_minimum_required(VERSION 3.8)
include_directories(src)
add_definitions("-DNIST_STS_EXE_PATH=tests/soter/nist-sts" -std=gnu99)

file(GLOB SOTER_SOURCE_FILES src/soter/*.c src/soter/openssl/*.c src/soter/ed25519/*)
add_library(soter ${SOTER_SOURCE_FILES})
add_library(soter_shared SHARED ${SOTER_SOURCE_FILES})
set_target_properties(soter_shared PROPERTIES OUTPUT_NAME soter)

file(GLOB_RECURSE THEMIS_SOURCE_FILES src/themis/*.c)
add_library(themis ${THEMIS_SOURCE_FILES})
add_library(themis_shared SHARED ${THEMIS_SOURCE_FILES})
set_target_properties(themis_shared PROPERTIES OUTPUT_NAME themis)

file(GLOB SOTER_TEST_SOURCE tests/soter/*.c tests/common/*.c )
file(GLOB THEMIS_TEST_SOURCE tests/themis/*.c tests/common/*.c)

add_executable(soter_test ${SOTER_TEST_SOURCE} )
target_link_libraries(soter_test soter crypto)

add_executable(themis_test ${THEMIS_TEST_SOURCE} ${SOTER_SOURCE_FILES})
target_include_directories(themis_test PRIVATE tests)
target_link_libraries(themis_test soter crypto themis)
@@ -465,15 +465,9 @@ LICENSE_NAME = "Apache License Version 2.0"
LIBRARY_SO_VERSION := $(shell echo $(VERSION) | sed 's/^\([0-9.]*\)\(.*\)*$$/\1/')

DEBIAN_CODENAME := $(shell lsb_release -cs 2> /dev/null)
DEBIAN_STRETCH_VERSION := libssl1.0.2
DEBIAN_ARCHITECTURE = `dpkg --print-architecture 2>/dev/null`
DEBIAN_DEPENDENCIES := --depends openssl

ifeq ($(DEBIAN_CODENAME),stretch)
DEBIAN_DEPENDENCIES := --depends $(DEBIAN_STRETCH_VERSION)
else

DEBIAN_DEPENDENCIES := --depends openssl
endif
RPM_DEPENDENCIES = --depends openssl
RPM_RELEASE_NUM = 1

@@ -5,17 +5,30 @@ machine:
GOROOT: $HOME/go
GOPATH: $HOME/gopath
PATH: $GOROOT/bin:$PATH
VALGRIND_BUILD_PATH: $HOME/valgrind
# to avoid OOM killer (https://circleci.com/docs/1.0/oom/#out-of-memory-errors-in-android-builds)
GRADLE_OPTS: '-Dorg.gradle.jvmargs="-Xmx2048m -XX:+HeapDumpOnOutOfMemoryError"'
# add define that turn off one nist test (tests/soter/soter_rand_test.c:190) that always fail on ci machine but ok on real machine
CFLAGS: "-DCIRICLE_TEST"
BORINGSSL_PATH: "$HOME/boringssl"

## Customize dependencies
dependencies:
cache_directories:
- "~/valgrind"
- "~/go"
- "~/boringssl"

pre:
- sudo apt-get update && sudo DEBIAN_FRONTEND=noninteractive apt-get -y install php5 cmake libssl-dev python3 python3-setuptools ruby ninja-build lcov build-essential valgrind
- sudo apt-get update && sudo DEBIAN_FRONTEND=noninteractive apt-get -y install php5 cmake libssl-dev python3 python3-setuptools ruby ninja-build lcov build-essential libc6-dbg
- sudo ln -sf /usr/bin/gcov-4.9 /usr/bin/gcov
- cd $HOME && wget https://storage.googleapis.com/golang/go1.6.2.linux-amd64.tar.gz && tar xf go1.6.2.linux-amd64.tar.gz
- if [ ! -d $GOROOT ]; then cd $HOME && wget https://storage.googleapis.com/golang/go1.6.2.linux-amd64.tar.gz && tar xf go1.6.2.linux-amd64.tar.gz; fi
- gem install coveralls-lcov
- go get github.com/mattn/goveralls
# download last valgrind because current version of valgrind on ubuntu (3.10.0) gives false positive errors
# link from http://valgrind.org/downloads/current.html
# don't fetch if was cached
- if [ ! -d $VALGRIND_BUILD_PATH ]; then wget ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2 && tar -xjf valgrind-3.13.0.tar.bz2 && cd valgrind-3.13.0 && ./configure --prefix=$VALGRIND_BUILD_PATH && make && sudo make install; fi

override:
- make
@@ -25,10 +38,10 @@ dependencies:
- sudo make pythemis_install
- sudo make rubythemis_install
- sudo make phpthemis_install
- cd $HOME && git clone https://boringssl.googlesource.com/boringssl && cd boringssl && git checkout chromium-stable && mkdir build && cd build && cmake .. && make && cp decrepit/libdecrepit.a crypto/
- cd $HOME/boringssl && mkdir build-armeabi-v7a && cd build-armeabi-v7a && cmake -DANDROID_ABI=armeabi-v7a -DCMAKE_TOOLCHAIN_FILE=../third_party/android-cmake/android.toolchain.cmake -DANDROID_NATIVE_API_LEVEL=16 -GNinja .. && ninja -j 20
- cd $HOME/boringssl && mkdir build-arm64-v8a && cd build-arm64-v8a && cmake -DANDROID_ABI=arm64-v8a -DCMAKE_TOOLCHAIN_FILE=../third_party/android-cmake/android.toolchain.cmake -DANDROID_NATIVE_API_LEVEL=16 -GNinja .. && ninja -j 20
- cd $HOME/boringssl && mkdir build-x86 && cd build-x86 && cmake -DANDROID_ABI=x86 -DCMAKE_TOOLCHAIN_FILE=../third_party/android-cmake/android.toolchain.cmake -DANDROID_NATIVE_API_LEVEL=16 -GNinja .. && ninja -j 20
- if [ ! -d $BORINGSSL_PATH ]; then cd $HOME && git clone https://boringssl.googlesource.com/boringssl && cd boringssl && git checkout chromium-stable && mkdir build && cd build && cmake .. && make && cp decrepit/libdecrepit.a crypto/; fi
- if [ ! -d $BORINGSSL_PATH/build-armeabi-v7a ]; then cd $BORINGSSL_PATH && mkdir build-armeabi-v7a && cd build-armeabi-v7a && cmake -DANDROID_ABI=armeabi-v7a -DCMAKE_TOOLCHAIN_FILE=../third_party/android-cmake/android.toolchain.cmake -DANDROID_NATIVE_API_LEVEL=16 -GNinja .. && ninja -j 20; fi
- if [ ! -d $BORINGSSL_PATH/build-arm64-v8a ]; then cd $BORINGSSL_PATH && mkdir build-arm64-v8a && cd build-arm64-v8a && cmake -DANDROID_ABI=arm64-v8a -DCMAKE_TOOLCHAIN_FILE=../third_party/android-cmake/android.toolchain.cmake -DANDROID_NATIVE_API_LEVEL=16 -GNinja .. && ninja -j 20; fi
- if [ ! -d $BORINGSSL_PATH/build-x86 ]; then cd $BORINGSSL_PATH && mkdir build-x86 && cd build-x86 && cmake -DANDROID_ABI=x86 -DCMAKE_TOOLCHAIN_FILE=../third_party/android-cmake/android.toolchain.cmake -DANDROID_NATIVE_API_LEVEL=16 -GNinja .. && ninja -j 20; fi
- make ENGINE=boringssl ENGINE_INCLUDE_PATH=$HOME/boringssl/include ENGINE_LIB_PATH=$HOME/boringssl/build/crypto BUILD_PATH=build_with_boringssl prepare_tests_basic
- make BUILD_PATH=cover_build COVERAGE=y prepare_tests_basic
- make prepare_tests_all
@@ -49,16 +62,16 @@ test:
# it's important to set version of ruby precisely.
- rvm use system && make test_ruby
- make test_go
- valgrind build/tests/soter_test 2>&1 | grep "ERROR SUMMARY\|definitely lost\|indirectly lost\|possibly lost" | awk '{sum += $4} END {exit sum}'
- valgrind build/tests/themis_test 2>&1 | grep "ERROR SUMMARY\|definitely lost\|indirectly lost\|possibly lost" | awk '{sum += $4} END {exit sum}'
${VALGRIND_BUILD_PATH}/bin/valgrind build/tests/soter_test 2>&1 | grep "ERROR SUMMARY\|definitely lost\|indirectly lost\|possibly lost" | awk '{sum += $4} END {print $0; if ( sum > 0 ) { exit 1 } }'
- ${VALGRIND_BUILD_PATH}/bin/valgrind build/tests/themis_test 2>&1 | grep "ERROR SUMMARY\|definitely lost\|indirectly lost\|possibly lost" | awk '{sum += $4} END {print $0; if ( sum > 0 ) { exit 1 } }'
- cover_build/tests/soter_test
- cover_build/tests/themis_test
- lcov --directory . --capture --output-file coverage.info
- lcov --remove coverage.info 'tests/*' 'src/soter/openssl/*' '/usr/*' --output-file coverage.info
- lcov --list coverage.info
- coveralls-lcov -v --repo-token $COVERALLS_TOKEN coverage.info || true
- build_with_boringssl/tests/soter_test
- build_with_boringssl/tests/themis_test
- ${VALGRIND_BUILD_PATH}/bin/valgrind build_with_boringssl/tests/soter_test 2>&1 | grep "ERROR SUMMARY\|definitely lost\|indirectly lost\|possibly lost" | awk '{sum += $4} END {print $0; if ( sum > 0 ) { exit 1 } }'
- ${VALGRIND_BUILD_PATH}/bin/valgrind build_with_boringssl/tests/themis_test 2>&1 | grep "ERROR SUMMARY\|definitely lost\|indirectly lost\|possibly lost" | awk '{sum += $4} END {print $0; if ( sum > 0 ) { exit 1 } }'
# - tests/check_ios_test.sh `tests/start_ios_test.sh`
# start Android emulator
- emulator -avd circleci-android22 -no-audio -no-window:
@@ -132,7 +132,7 @@ soter_status_t soter_hash_destroy(soter_hash_ctx_t *hash_ctx)
{
return SOTER_INVALID_PARAMETER;
}

EVP_MD_CTX_cleanup(&(hash_ctx->evp_md_ctx));
free(hash_ctx);
return SOTER_SUCCESS;
}
@@ -93,8 +93,8 @@ soter_status_t soter_sign_final_ecdsa_none_pkcs8(soter_sign_ctx_t* ctx, void* si
if (!pkey && EVP_PKEY_type(pkey->type)!=EVP_PKEY_EC){
return SOTER_INVALID_PARAMETER;
} /* TODO: need review */
if(!signature || (*signature_length)<EVP_PKEY_size(pkey)){
(*signature_length)=EVP_PKEY_size(pkey);
if(!signature || (*signature_length)<(size_t)EVP_PKEY_size(pkey)){
(*signature_length)=(size_t)EVP_PKEY_size(pkey);
return SOTER_BUFFER_TOO_SMALL;
}

@@ -101,8 +101,8 @@ soter_status_t soter_sign_final_rsa_pss_pkcs8(soter_sign_ctx_t* ctx, void* signa
if (!pkey){
return SOTER_INVALID_PARAMETER;
}
if((*signature_length)<EVP_PKEY_size(pkey)){
(*signature_length)=EVP_PKEY_size(pkey);
if((*signature_length)<(size_t)EVP_PKEY_size(pkey)){
(*signature_length)=(size_t)EVP_PKEY_size(pkey);
return SOTER_BUFFER_TOO_SMALL;
}
if(!EVP_DigestSignFinal(ctx->md_ctx, signature, signature_length)){
@@ -91,7 +91,7 @@ soter_status_t soter_verify_final_rsa_pss_pkcs8(soter_sign_ctx_t* ctx, const voi
if (!pkey){
return SOTER_INVALID_PARAMETER;
}
if(signature_length!=EVP_PKEY_size(pkey)){
if(signature_length!=(size_t)EVP_PKEY_size(pkey)){
return SOTER_FAIL;
}
if(!EVP_DigestVerifyFinal(ctx->md_ctx, (unsigned char*)signature, signature_length)){
File renamed without changes.
File renamed without changes.
File renamed without changes.
@@ -97,6 +97,7 @@ soter_status_t soter_asym_cipher_init(soter_asym_cipher_t* asym_cipher, const vo
return SOTER_FAIL;
}
SOTER_IF_FAIL(soter_asym_cipher_import_key(asym_cipher, key, key_length)==SOTER_SUCCESS, (EVP_PKEY_free(pkey), EVP_PKEY_CTX_free(asym_cipher->pkey_ctx)));
EVP_PKEY_free(pkey);
return SOTER_SUCCESS;
}

@@ -109,11 +110,8 @@ soter_status_t soter_asym_cipher_cleanup(soter_asym_cipher_t* asym_cipher)

if (asym_cipher->pkey_ctx)
{
EVP_PKEY* pkey = EVP_PKEY_CTX_get0_pkey(asym_cipher->pkey_ctx);
EVP_PKEY_CTX_free(asym_cipher->pkey_ctx);
if(pkey){
EVP_PKEY_free(pkey);
}
asym_cipher->pkey_ctx = NULL;
}

return SOTER_SUCCESS;
@@ -152,8 +150,8 @@ soter_status_t soter_asym_cipher_encrypt(soter_asym_cipher_t* asym_cipher, const
}

rsa_mod_size = RSA_size(rsa);

if (plain_data_length > (rsa_mod_size - 2 - (2 * OAEP_HASH_SIZE)))
int oaep_max_payload_length = (rsa_mod_size - 2 - (2 * OAEP_HASH_SIZE));
if (oaep_max_payload_length < 0 || plain_data_length > (size_t)oaep_max_payload_length)
{
/* The plaindata is too large for this key size */
return SOTER_INVALID_PARAMETER;
@@ -236,7 +234,7 @@ soter_status_t soter_asym_cipher_decrypt(soter_asym_cipher_t* asym_cipher, const

rsa_mod_size = RSA_size(rsa);

if (cipher_data_length < rsa_mod_size)
if (rsa_mod_size < 0 || cipher_data_length < (size_t)rsa_mod_size)
{
/* The cipherdata is too small for this key size */
return SOTER_INVALID_PARAMETER;
@@ -294,6 +292,7 @@ soter_asym_cipher_t* soter_asym_cipher_create(const void* key, const size_t key_
{
return NULL;
}
ctx->pkey_ctx = NULL;

status = soter_asym_cipher_init(ctx, key, key_length, pad);
if (SOTER_SUCCESS == status)
@@ -302,7 +301,7 @@ soter_asym_cipher_t* soter_asym_cipher_create(const void* key, const size_t key_
}
else
{
free(ctx);
soter_asym_cipher_destroy(ctx);
return NULL;
}
}
@@ -317,9 +316,9 @@ soter_status_t soter_asym_cipher_destroy(soter_asym_cipher_t* asym_cipher)
}

status = soter_asym_cipher_cleanup(asym_cipher);
free(asym_cipher);
if (SOTER_SUCCESS == status)
{
free(asym_cipher);
return SOTER_SUCCESS;
}
else
@@ -22,13 +22,13 @@

struct soter_hash_ctx_type
{
EVP_MD_CTX evp_md_ctx;
EVP_MD_CTX* evp_md_ctx;
};

struct soter_sym_ctx_type
{
uint32_t alg;
EVP_CIPHER_CTX evp_sym_ctx;
EVP_CIPHER_CTX* evp_sym_ctx;
};

struct soter_asym_cipher_type
@@ -40,13 +40,19 @@ soter_status_t soter_hash_init(soter_hash_ctx_t *hash_ctx, soter_hash_algo_t alg
{
return SOTER_INVALID_PARAMETER;
}

if (EVP_DigestInit(&(hash_ctx->evp_md_ctx), md))

hash_ctx->evp_md_ctx = EVP_MD_CTX_create();
if (!hash_ctx->evp_md_ctx){
return SOTER_FAIL;
}

if (EVP_DigestInit_ex(hash_ctx->evp_md_ctx, md, NULL))
{
return SOTER_SUCCESS;
}
else
{
soter_hash_cleanup(hash_ctx);
return SOTER_FAIL;
}
}
@@ -58,7 +64,7 @@ soter_status_t soter_hash_update(soter_hash_ctx_t *hash_ctx, const void *data, s
return SOTER_INVALID_PARAMETER;
}

if (EVP_DigestUpdate(&(hash_ctx->evp_md_ctx), data, length))
if (EVP_DigestUpdate(hash_ctx->evp_md_ctx, data, length))
{
return SOTER_SUCCESS;
}
@@ -77,7 +83,7 @@ soter_status_t soter_hash_final(soter_hash_ctx_t *hash_ctx, uint8_t* hash_value,
return SOTER_INVALID_PARAMETER;
}

md_length = (size_t)EVP_MD_CTX_size(&(hash_ctx->evp_md_ctx));
md_length = (size_t)EVP_MD_CTX_size(hash_ctx->evp_md_ctx);

if (!hash_value || (md_length > *hash_length))
{
@@ -86,7 +92,7 @@ soter_status_t soter_hash_final(soter_hash_ctx_t *hash_ctx, uint8_t* hash_value,
return SOTER_BUFFER_TOO_SMALL;
}

if (EVP_DigestFinal(&(hash_ctx->evp_md_ctx), hash_value, (unsigned int *)&md_length))
if (EVP_DigestFinal_ex(hash_ctx->evp_md_ctx, hash_value, (unsigned int *)&md_length))
{
*hash_length = md_length;
return SOTER_SUCCESS;
@@ -105,6 +111,7 @@ soter_hash_ctx_t* soter_hash_create(soter_hash_algo_t algo)
{
return NULL;
}
ctx->evp_md_ctx = NULL;

status = soter_hash_init(ctx, algo);
if (SOTER_SUCCESS == status)
@@ -113,7 +120,7 @@ soter_hash_ctx_t* soter_hash_create(soter_hash_algo_t algo)
}
else
{
free(ctx);
soter_hash_destroy(ctx);
return NULL;
}
}
@@ -123,7 +130,9 @@ soter_status_t soter_hash_cleanup(soter_hash_ctx_t* hash_ctx){
{
return SOTER_INVALID_PARAMETER;
}
EVP_MD_CTX_cleanup(&(hash_ctx->evp_md_ctx));

EVP_MD_CTX_destroy(hash_ctx->evp_md_ctx);
hash_ctx->evp_md_ctx = NULL;
return SOTER_SUCCESS;
}

@@ -133,7 +142,7 @@ soter_status_t soter_hash_destroy(soter_hash_ctx_t *hash_ctx)
{
return SOTER_INVALID_PARAMETER;
}

soter_hash_cleanup(hash_ctx);
free(hash_ctx);
return SOTER_SUCCESS;
}
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.