[PR #2804] Modernize OpenSSL digest and HMAC error handling #2803

New issue

Open

opened 2026-03-04 02:07:22 +03:00 by kerem · 0 comments

kerem commented 2026-03-04 02:07:22 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/s3fs-fuse/s3fs-fuse/pull/2804
Author: @CarstenGrohmann
Created: 2/14/2026
Status: 🔄 Open

Base: master ← Head: digest_error_handling

---

📝 Commits (6)

• 8de9c4a Remove support for OpenSSL < 1.1.1
• 1f4f0ab Use shared EVP digest helper for md5 and sha256
• 19448f2 Add shared EVP helper for file descriptor digests
• 253c26e Replace s3fs_md5_fd() with s3fs_digest_fd() wrapper
• 1e86735 Remove USE_OPENSSL_30 build flag
• 5ce05c7 Add error handling to HMAC call

📊 Changes

4 files changed (+60 additions, -249 deletions)

View changed files

📝 COMPILATION.md (+2 -2)
📝 configure.ac (+14 -11)
📝 src/Makefile.am (+0 -3)
📝 src/openssl_auth.cpp (+44 -233)

📄 Description

Fixes #2796

Summary

• Raise minimum OpenSSL version to 1.1.1 and remove all pre-1.1.1 code paths
• Replace all digest functions with shared EVP helpers using RAII and proper error handling
• Add return value checks and OpenSSL error messages to HMAC call
• Remove the USE_OPENSSL_30 build flag (no longer needed)

Changes

Build system

• configure.ac: raise libcrypto minimum to 1.1.1 with compile-time version check; remove OpenSSL 3.0 detection and USE_SSL_OPENSSL_30 conditional; use DEPS_CFLAGS in AC_COMPILE_IFELSE so non-default installations are detected correctly
• src/Makefile.am: remove -DUSE_OPENSSL_30 flag
• COMPILATION.md: document OpenSSL >= 1.1.1 as minimum version

openssl_auth.cpp (-251/+62 lines)

• Remove ~90 lines of dead crypto mutex infrastructure (CRYPTO_set_locking_callback etc.) — OpenSSL 1.1.0+ manages threading internally
• Remove obsolete init/cleanup calls (ERR_load_crypto_strings, EVP_cleanup etc.) — no-ops since OpenSSL 1.1.0
• Introduce s3fs_digest() and s3fs_digest_fd() as shared helpers for all digest operations (MD5, SHA256) with:
  • RAII via std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)>
  • Return value checks on every EVP call
  • OpenSSL error strings via ERR_reason_error_string(ERR_get_error())
• Replace EVP_MD_CTX_create()/EVP_MD_CTX_destroy() (deprecated since 1.1.0) with EVP_MD_CTX_new()/ EVP_MD_CTX_free()`
• Replace EVP_get_digestbyname() string lookup with direct EVP_md5()/EVP_sha256() accessors
• Remove MD5_Init/MD5_Update/MD5_Final (deprecated since 3.0) in favor of the shared EVP helper
• Unify the #ifdef USE_OPENSSL_30 / #else code paths for s3fs_md5(), s3fs_md5_fd(), s3fs_sha256(), s3fs_sha256_fd() into single implementations
• Add return value check and error message to HMAC() call
• Remove #pragma clang diagnostic ignored "-Wdeprecated-declarations" (no deprecated calls remain)

Addresses all points from #2796

1. nullptr checks — EVP_MD_CTX_new() checked in both helpers
2. Return value checks — all EVP_Digest*() calls checked
3. RAII — std::unique_ptr with custom deleter for EVP_MD_CTX
4. Deprecated API — replaced throughout
5. Silent failure — all error paths return false/nullptr

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/s3fs-fuse/s3fs-fuse/pull/2804 **Author:** [@CarstenGrohmann](https://github.com/CarstenGrohmann) **Created:** 2/14/2026 **Status:** 🔄 Open **Base:** `master` ← **Head:** `digest_error_handling` --- ### 📝 Commits (6) - [`8de9c4a`](https://github.com/s3fs-fuse/s3fs-fuse/commit/8de9c4ab9b525280187ba58cf4e1c7b584ab67ec) Remove support for OpenSSL < 1.1.1 - [`1f4f0ab`](https://github.com/s3fs-fuse/s3fs-fuse/commit/1f4f0ab8e0a027c35cbc6a6872aec5b9575892b4) Use shared EVP digest helper for md5 and sha256 - [`19448f2`](https://github.com/s3fs-fuse/s3fs-fuse/commit/19448f289c56c29d5c31cc7f0044fda1940aefd0) Add shared EVP helper for file descriptor digests - [`253c26e`](https://github.com/s3fs-fuse/s3fs-fuse/commit/253c26ef7858e37cd63faff1d82f0a5caa62b687) Replace s3fs_md5_fd() with s3fs_digest_fd() wrapper - [`1e86735`](https://github.com/s3fs-fuse/s3fs-fuse/commit/1e8673545246ee742a5b436d87def921c5bdbab9) Remove USE_OPENSSL_30 build flag - [`5ce05c7`](https://github.com/s3fs-fuse/s3fs-fuse/commit/5ce05c7bef4d8c5e016954c75624b9e4e7de027c) Add error handling to HMAC call ### 📊 Changes **4 files changed** (+60 additions, -249 deletions) <details> <summary>View changed files</summary> 📝 `COMPILATION.md` (+2 -2) 📝 `configure.ac` (+14 -11) 📝 `src/Makefile.am` (+0 -3) 📝 `src/openssl_auth.cpp` (+44 -233) </details> ### 📄 Description Fixes #2796 ## Summary - Raise minimum OpenSSL version to 1.1.1 and remove all pre-1.1.1 code paths - Replace all digest functions with shared EVP helpers using RAII and proper error handling - Add return value checks and OpenSSL error messages to HMAC call - Remove the `USE_OPENSSL_30` build flag (no longer needed) ## Changes ### Build system - `configure.ac`: raise `libcrypto` minimum to 1.1.1 with compile-time version check; remove OpenSSL 3.0 detection and `USE_SSL_OPENSSL_30` conditional; use `DEPS_CFLAGS` in `AC_COMPILE_IFELSE` so non-default installations are detected correctly - `src/Makefile.am`: remove `-DUSE_OPENSSL_30` flag - `COMPILATION.md`: document OpenSSL >= 1.1.1 as minimum version ### openssl_auth.cpp (-251/+62 lines) - Remove ~90 lines of dead crypto mutex infrastructure (`CRYPTO_set_locking_callback` etc.) — OpenSSL 1.1.0+ manages threading internally - Remove obsolete init/cleanup calls (`ERR_load_crypto_strings`, `EVP_cleanup` etc.) — no-ops since OpenSSL 1.1.0 - Introduce `s3fs_digest()` and `s3fs_digest_fd()` as shared helpers for all digest operations (MD5, SHA256) with: - RAII via `std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)>` - Return value checks on every EVP call - OpenSSL error strings via `ERR_reason_error_string(ERR_get_error())` - Replace `EVP_MD_CTX_create()`/`EVP_MD_CTX_destroy()` (deprecated since 1.1.0) with `EVP_MD_CTX_new()`/ EVP_MD_CTX_free()` - Replace `EVP_get_digestbyname()` string lookup with direct `EVP_md5()`/`EVP_sha256()` accessors - Remove `MD5_Init`/`MD5_Update`/`MD5_Final` (deprecated since 3.0) in favor of the shared EVP helper - Unify the `#ifdef USE_OPENSSL_30` / `#else` code paths for `s3fs_md5()`, `s3fs_md5_fd()`, `s3fs_sha256()`, `s3fs_sha256_fd()` into single implementations - Add return value check and error message to `HMAC()` call - Remove `#pragma clang diagnostic ignored "-Wdeprecated-declarations"` (no deprecated calls remain) ## Addresses all points from #2796 1. nullptr checks — `EVP_MD_CTX_new()` checked in both helpers 2. Return value checks — all `EVP_Digest*()` calls checked 3. RAII — `std::unique_ptr` with custom deleter for `EVP_MD_CTX` 4. Deprecated API — replaced throughout 5. Silent failure — all error paths return `false`/`nullptr` --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem added the

pull-request

label 2026-03-04 02:07:22 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.97

v1.96

v1.95

v1.94

v1.93

v1.92

v1.91

v1.90

v1.89

v1.88

v1.87

v1.86

v1.85

v1.84

v1.83

v1.82

v1.81

v1.80

v1.79

v1.78

Pre-v1.78

v1.77

v1.76

v1.75

v1.74

Labels

Clear labels   

bug

  

bug

  

dataloss

  

duplicate

  

enhancement

  

feature request

  

help wanted

  

invalid

  

need info

  

performance

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

testing

No labels

bug

bug

dataloss

duplicate

enhancement

feature request

help wanted

invalid

need info

performance

pull-request

question

question

testing

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/s3fs-fuse#2803

No description provided.