From 1ed2c7b11570f5d16bdc70d151fa78c3dccf6d38 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Sat, 9 Apr 2016 01:22:13 +0900 Subject: imap-send: use HMAC() function provided by OpenSSL Fix compile errors with OpenSSL 1.1.0. HMAC_CTX is made opaque and HMAC_CTX_cleanup is removed in OpenSSL 1.1.0. But since we just want to calculate one HMAC, we can use HMAC() here, which exists since OpenSSL 0.9.6 at least. Signed-off-by: Kazuki Yamaguchi Signed-off-by: Junio C Hamano --- imap-send.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'imap-send.c') diff --git a/imap-send.c b/imap-send.c index 8c3fc212b..8bf363bbd 100644 --- a/imap-send.c +++ b/imap-send.c @@ -862,7 +862,6 @@ static char hexchar(unsigned int b) static char *cram(const char *challenge_64, const char *user, const char *pass) { int i, resp_len, encoded_len, decoded_len; - HMAC_CTX hmac; unsigned char hash[16]; char hex[33]; char *response, *response_64, *challenge; @@ -877,10 +876,8 @@ static char *cram(const char *challenge_64, const char *user, const char *pass) (unsigned char *)challenge_64, encoded_len); if (decoded_len < 0) die("invalid challenge %s", challenge_64); - HMAC_Init(&hmac, (unsigned char *)pass, strlen(pass), EVP_md5()); - HMAC_Update(&hmac, (unsigned char *)challenge, decoded_len); - HMAC_Final(&hmac, hash, NULL); - HMAC_CTX_cleanup(&hmac); + if (!HMAC(EVP_md5(), pass, strlen(pass), (unsigned char *)challenge, decoded_len, hash, NULL)) + die("HMAC error"); hex[32] = 0; for (i = 0; i < 16; i++) { -- cgit v1.2.1 From 6738a33b3102222b25f7a1596aa1ed39c478a268 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Sat, 9 Apr 2016 01:22:14 +0900 Subject: imap-send: check NULL return of SSL_CTX_new() SSL_CTX_new() may fail with return value NULL. Signed-off-by: Kazuki Yamaguchi Signed-off-by: Junio C Hamano --- imap-send.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'imap-send.c') diff --git a/imap-send.c b/imap-send.c index 8bf363bbd..e964e2a7f 100644 --- a/imap-send.c +++ b/imap-send.c @@ -298,6 +298,10 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve } ctx = SSL_CTX_new(meth); + if (!ctx) { + ssl_socket_perror("SSL_CTX_new"); + return -1; + } if (verify) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); -- cgit v1.2.1 From b51c0d4b4c70b3d2ddac1657b98b17e77af1c404 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Sat, 9 Apr 2016 01:22:15 +0900 Subject: imap-send: avoid deprecated TLSv1_method() Use SSLv23_method always and disable SSL if needed. TLSv1_method() function is deprecated in OpenSSL 1.1.0 and the compiler emits a warning. SSLv23_method() is also deprecated, but the alternative, TLS_method(), is new in OpenSSL 1.1.0 so requires checking by configure. Stick to SSLv23_method() for now (this is aliased to TLS_method()). Signed-off-by: Kazuki Yamaguchi Signed-off-by: Junio C Hamano --- imap-send.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'imap-send.c') diff --git a/imap-send.c b/imap-send.c index e964e2a7f..78b6ff649 100644 --- a/imap-send.c +++ b/imap-send.c @@ -287,11 +287,7 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve SSL_library_init(); SSL_load_error_strings(); - if (use_tls_only) - meth = TLSv1_method(); - else - meth = SSLv23_method(); - + meth = SSLv23_method(); if (!meth) { ssl_socket_perror("SSLv23_method"); return -1; @@ -303,6 +299,9 @@ static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int ve return -1; } + if (use_tls_only) + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + if (verify) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); -- cgit v1.2.1