[PR #2804] Modernize OpenSSL digest and HMAC error handling #2803

Open
opened 2026-03-04 02:07:22 +03:00 by kerem · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/s3fs-fuse/s3fs-fuse/pull/2804
Author: @CarstenGrohmann
Created: 2/14/2026
Status: 🔄 Open

Base: masterHead: digest_error_handling


📝 Commits (6)

  • 8de9c4a Remove support for OpenSSL < 1.1.1
  • 1f4f0ab Use shared EVP digest helper for md5 and sha256
  • 19448f2 Add shared EVP helper for file descriptor digests
  • 253c26e Replace s3fs_md5_fd() with s3fs_digest_fd() wrapper
  • 1e86735 Remove USE_OPENSSL_30 build flag
  • 5ce05c7 Add error handling to HMAC call

📊 Changes

4 files changed (+60 additions, -249 deletions)

View changed files

📝 COMPILATION.md (+2 -2)
📝 configure.ac (+14 -11)
📝 src/Makefile.am (+0 -3)
📝 src/openssl_auth.cpp (+44 -233)

📄 Description

Fixes #2796

Summary

  • Raise minimum OpenSSL version to 1.1.1 and remove all pre-1.1.1 code paths
  • Replace all digest functions with shared EVP helpers using RAII and proper error handling
  • Add return value checks and OpenSSL error messages to HMAC call
  • Remove the USE_OPENSSL_30 build flag (no longer needed)

Changes

Build system

  • configure.ac: raise libcrypto minimum to 1.1.1 with compile-time version check; remove OpenSSL 3.0 detection and USE_SSL_OPENSSL_30 conditional; use DEPS_CFLAGS in AC_COMPILE_IFELSE so non-default installations are detected correctly
  • src/Makefile.am: remove -DUSE_OPENSSL_30 flag
  • COMPILATION.md: document OpenSSL >= 1.1.1 as minimum version

openssl_auth.cpp (-251/+62 lines)

  • Remove ~90 lines of dead crypto mutex infrastructure (CRYPTO_set_locking_callback etc.) — OpenSSL 1.1.0+ manages threading internally
  • Remove obsolete init/cleanup calls (ERR_load_crypto_strings, EVP_cleanup etc.) — no-ops since OpenSSL 1.1.0
  • Introduce s3fs_digest() and s3fs_digest_fd() as shared helpers for all digest operations (MD5, SHA256) with:
    • RAII via std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)>
    • Return value checks on every EVP call
    • OpenSSL error strings via ERR_reason_error_string(ERR_get_error())
  • Replace EVP_MD_CTX_create()/EVP_MD_CTX_destroy() (deprecated since 1.1.0) with EVP_MD_CTX_new()/ EVP_MD_CTX_free()`
  • Replace EVP_get_digestbyname() string lookup with direct EVP_md5()/EVP_sha256() accessors
  • Remove MD5_Init/MD5_Update/MD5_Final (deprecated since 3.0) in favor of the shared EVP helper
  • Unify the #ifdef USE_OPENSSL_30 / #else code paths for s3fs_md5(), s3fs_md5_fd(), s3fs_sha256(), s3fs_sha256_fd() into single implementations
  • Add return value check and error message to HMAC() call
  • Remove #pragma clang diagnostic ignored "-Wdeprecated-declarations" (no deprecated calls remain)

Addresses all points from #2796

  1. nullptr checks — EVP_MD_CTX_new() checked in both helpers
  2. Return value checks — all EVP_Digest*() calls checked
  3. RAII — std::unique_ptr with custom deleter for EVP_MD_CTX
  4. Deprecated API — replaced throughout
  5. Silent failure — all error paths return false/nullptr

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/s3fs-fuse/s3fs-fuse/pull/2804 **Author:** [@CarstenGrohmann](https://github.com/CarstenGrohmann) **Created:** 2/14/2026 **Status:** 🔄 Open **Base:** `master` ← **Head:** `digest_error_handling` --- ### 📝 Commits (6) - [`8de9c4a`](https://github.com/s3fs-fuse/s3fs-fuse/commit/8de9c4ab9b525280187ba58cf4e1c7b584ab67ec) Remove support for OpenSSL < 1.1.1 - [`1f4f0ab`](https://github.com/s3fs-fuse/s3fs-fuse/commit/1f4f0ab8e0a027c35cbc6a6872aec5b9575892b4) Use shared EVP digest helper for md5 and sha256 - [`19448f2`](https://github.com/s3fs-fuse/s3fs-fuse/commit/19448f289c56c29d5c31cc7f0044fda1940aefd0) Add shared EVP helper for file descriptor digests - [`253c26e`](https://github.com/s3fs-fuse/s3fs-fuse/commit/253c26ef7858e37cd63faff1d82f0a5caa62b687) Replace s3fs_md5_fd() with s3fs_digest_fd() wrapper - [`1e86735`](https://github.com/s3fs-fuse/s3fs-fuse/commit/1e8673545246ee742a5b436d87def921c5bdbab9) Remove USE_OPENSSL_30 build flag - [`5ce05c7`](https://github.com/s3fs-fuse/s3fs-fuse/commit/5ce05c7bef4d8c5e016954c75624b9e4e7de027c) Add error handling to HMAC call ### 📊 Changes **4 files changed** (+60 additions, -249 deletions) <details> <summary>View changed files</summary> 📝 `COMPILATION.md` (+2 -2) 📝 `configure.ac` (+14 -11) 📝 `src/Makefile.am` (+0 -3) 📝 `src/openssl_auth.cpp` (+44 -233) </details> ### 📄 Description Fixes #2796 ## Summary - Raise minimum OpenSSL version to 1.1.1 and remove all pre-1.1.1 code paths - Replace all digest functions with shared EVP helpers using RAII and proper error handling - Add return value checks and OpenSSL error messages to HMAC call - Remove the `USE_OPENSSL_30` build flag (no longer needed) ## Changes ### Build system - `configure.ac`: raise `libcrypto` minimum to 1.1.1 with compile-time version check; remove OpenSSL 3.0 detection and `USE_SSL_OPENSSL_30` conditional; use `DEPS_CFLAGS` in `AC_COMPILE_IFELSE` so non-default installations are detected correctly - `src/Makefile.am`: remove `-DUSE_OPENSSL_30` flag - `COMPILATION.md`: document OpenSSL >= 1.1.1 as minimum version ### openssl_auth.cpp (-251/+62 lines) - Remove ~90 lines of dead crypto mutex infrastructure (`CRYPTO_set_locking_callback` etc.) — OpenSSL 1.1.0+ manages threading internally - Remove obsolete init/cleanup calls (`ERR_load_crypto_strings`, `EVP_cleanup` etc.) — no-ops since OpenSSL 1.1.0 - Introduce `s3fs_digest()` and `s3fs_digest_fd()` as shared helpers for all digest operations (MD5, SHA256) with: - RAII via `std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)>` - Return value checks on every EVP call - OpenSSL error strings via `ERR_reason_error_string(ERR_get_error())` - Replace `EVP_MD_CTX_create()`/`EVP_MD_CTX_destroy()` (deprecated since 1.1.0) with `EVP_MD_CTX_new()`/ EVP_MD_CTX_free()` - Replace `EVP_get_digestbyname()` string lookup with direct `EVP_md5()`/`EVP_sha256()` accessors - Remove `MD5_Init`/`MD5_Update`/`MD5_Final` (deprecated since 3.0) in favor of the shared EVP helper - Unify the `#ifdef USE_OPENSSL_30` / `#else` code paths for `s3fs_md5()`, `s3fs_md5_fd()`, `s3fs_sha256()`, `s3fs_sha256_fd()` into single implementations - Add return value check and error message to `HMAC()` call - Remove `#pragma clang diagnostic ignored "-Wdeprecated-declarations"` (no deprecated calls remain) ## Addresses all points from #2796 1. nullptr checks — `EVP_MD_CTX_new()` checked in both helpers 2. Return value checks — all `EVP_Digest*()` calls checked 3. RAII — `std::unique_ptr` with custom deleter for `EVP_MD_CTX` 4. Deprecated API — replaced throughout 5. Silent failure — all error paths return `false`/`nullptr` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/s3fs-fuse#2803
No description provided.