jwt: use ECDSA_SIG_set0() for OpenSSL compatibility #43240
+160
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
We've been carrying this as a patch since ever in the openssl fork. Now that jwt is in Envoy itself, this is a good change to get in, as it makes the code work on both libraries. Similar to the change in #42156 |
jwendell
force-pushed
the
uniqueptr1
branch
4 times, most recently
from
7f622f1 to
484bd96
Compare
The previous code directly accessed the r and s members of the ECDSA_SIG struct when converting the JWT signature to an ECDSA signature object. This worked with BoringSSL which exposes struct internals, but fails with OpenSSL where ECDSA_SIG is an opaque type. This change uses ECDSA_SIG_set0() to set the r and s BIGNUM values, which is supported by both BoringSSL and OpenSSL. The BIGNUMs are created separately and then transferred to the ECDSA_SIG object via ECDSA_SIG_set0(), which takes ownership of them. The unique_ptrs are released after the transfer to prevent double-free. Signed-off-by: Jonh Wendell <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The previous code directly accessed the r and s members of the ECDSA_SIG struct when converting the JWT signature to an ECDSA signature object. This worked with BoringSSL which exposes struct internals, but fails with OpenSSL where ECDSA_SIG is an opaque type.
This change uses ECDSA_SIG_set0() to set the r and s BIGNUM values, which is supported by both BoringSSL and OpenSSL. The BIGNUMs are created separately and then transferred to the ECDSA_SIG object via ECDSA_SIG_set0(), which takes ownership of them. The unique_ptrs are released after the transfer to prevent double-free.