[PATCH v4 2/3] imap-send: eliminate HMAC deprecation warnings on OS X 10.8

[PATCH v4 2/3] imap-send: eliminate HMAC deprecation warnings on OS X 10.8

[David Aguilar]

Mac OS X Mountain Lion warns that HMAC_Init() and friends are
deprecated.  Use CommonCrypto's HMAC to eliminate the warnings.

Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: David Aguilar <davvid@gmail.com>
---
1/3 not included since it is unchanged.
These are replacement patches for what's currently in "pu".

Changes since last time:

We no longer say "=1" when defining COMMON_DIGEST_FOR_HMAC.
I added the word "deprecated" to the commit message subject
for consistency with the other patches in this series.

 Makefile    |  5 +++++
 imap-send.c | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/Makefile b/Makefile
index f698c1a..a0f7afc 100644
--- a/Makefile
+++ b/Makefile
@@ -1054,6 +1054,7 @@ ifeq ($(uname_S),Darwin)
 			BASIC_LDFLAGS += -L/opt/local/lib
 		endif
 	endif
+	COMMON_DIGEST_HMAC = YesPlease
 	NO_REGEX = YesPlease
 	PTHREAD_LIBS =
 endif
@@ -1393,6 +1394,10 @@ else
 	EXTLIBS += $(LIB_4_CRYPTO)
 endif
 endif
+
+ifdef COMMON_DIGEST_HMAC
+	BASIC_CFLAGS += -DCOMMON_DIGEST_FOR_HMAC
+endif
 ifdef NO_PERL_MAKEMAKER
 	export NO_PERL_MAKEMAKER
 endif
diff --git a/imap-send.c b/imap-send.c
index d9bcfb4..1b2e69c 100644
--- a/imap-send.c
+++ b/imap-send.c
@@ -29,8 +29,18 @@
 #ifdef NO_OPENSSL
 typedef void *SSL;
 #else
+#ifdef COMMON_DIGEST_FOR_HMAC
+#include <CommonCrypto/CommonHMAC.h>
+#define HMAC_CTX CCHmacContext
+#define HMAC_Init(hmac, key, len, algo) CCHmacInit(hmac, algo, key, len)
+#define HMAC_Update CCHmacUpdate
+#define HMAC_Final(hmac, hash, ptr) CCHmacFinal(hmac, hash)
+#define HMAC_CTX_cleanup
+#define EVP_md5() kCCHmacAlgMD5
+#else
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
+#endif
 #include <openssl/x509v3.h>
 #endif
 
-- 
1.8.3.rc1.52.g872cb7b

[PATCH v4 3/3] cache.h: eliminate SHA-1 deprecation warnings on OS X 10.8

[David Aguilar]

Mac OS X Mountain Lion prints warnings when building git:

	warning: 'SHA1_Init' is deprecated
	(declared at /usr/include/openssl/sha.h:121)

Silence the warnings by using the CommonCrytpo SHA-1
functions for SHA1_Init(), SHA1_Update(), and SHA1_Final().

Add a COMMON_DIGEST_SHA1 option to the Makefile to allow
choosing this implementation and define it by default on Darwin.

Define COMMON_DIGEST_FOR_OPENSSL to enable the OpenSSL
compatibility macros in CommonDigest.h.

Helped-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: David Aguilar <davvid@gmail.com>
---
Changes since last round:
COMMON_DIGEST_FOR_OPENSSL is used to enable the compatibility macros.

 Makefile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Makefile b/Makefile
index a0f7afc..29c02ed 100644
--- a/Makefile
+++ b/Makefile
@@ -1055,6 +1055,7 @@ ifeq ($(uname_S),Darwin)
 		endif
 	endif
 	COMMON_DIGEST_HMAC = YesPlease
+	COMMON_DIGEST_SHA1 = YesPlease
 	NO_REGEX = YesPlease
 	PTHREAD_LIBS =
 endif
@@ -1390,10 +1391,15 @@ ifdef PPC_SHA1
 	LIB_OBJS += ppc/sha1.o ppc/sha1ppc.o
 	LIB_H += ppc/sha1.h
 else
+ifdef COMMON_DIGEST_SHA1
+	BASIC_CFLAGS += -DCOMMON_DIGEST_FOR_OPENSSL
+	SHA1_HEADER = <CommonCrypto/CommonDigest.h>
+else
 	SHA1_HEADER = <openssl/sha.h>
 	EXTLIBS += $(LIB_4_CRYPTO)
 endif
 endif
+endif
 
 ifdef COMMON_DIGEST_HMAC
 	BASIC_CFLAGS += -DCOMMON_DIGEST_FOR_HMAC
-- 
1.8.3.rc1.52.g872cb7b

Re: [PATCH v4 3/3] cache.h: eliminate SHA-1 deprecation warnings on OS X 10.8

[Eric Sunshine]

On Mon, May 13, 2013 at 4:23 AM, David Aguilar <davvid@gmail.com> wrote:
> Mac OS X Mountain Lion prints warnings when building git:
>
>         warning: 'SHA1_Init' is deprecated
>         (declared at /usr/include/openssl/sha.h:121)
>
> Silence the warnings by using the CommonCrytpo SHA-1
> functions for SHA1_Init(), SHA1_Update(), and SHA1_Final().
>
> Add a COMMON_DIGEST_SHA1 option to the Makefile to allow
> choosing this implementation and define it by default on Darwin.

The approach of adding a Makefile option for each CommonCrypto
facility does not really scale well. For instance, these days, I
generally build git against OpenSSL from MacPorts, which gives me a
warning-free git build since MacPorts/OpenSSL lacks those
Apple-specific deprecation flags. With this patch series introducing
several Makefile knobs, people wishing to use MacPorts/OpenSSL will
have to tweak each knob. These patches already introduce two knobs
(COMMON_DIGEST_SHA1, COMMON_DIGEST_HMAC). Adding more knobs to silence
the remaining 29 deprecation warnings will make the build more
cumbersome for those who prefer OpenSSL. Instead, introducing a single
knob (such as APPLE_COMMON_CRYPTO) would avoid this problem.

More generally, is the approach of trying to figure out CommonCrypto
replacements for DIGEST, HMAC, and the other 29 warnings worthwhile?
After all, Apple introduced deprecation warnings due to the
ABI-instability of OpenSSL, not due to any particular flaw in OpenSSL
or its API. A more manageable approach might simply be to disable that
particular warning on Darwin (via CFLAGS or perhaps '#pragma GCC
diagnostic ignored' for more fine-grained control).

> Define COMMON_DIGEST_FOR_OPENSSL to enable the OpenSSL
> compatibility macros in CommonDigest.h.
>
> Helped-by: Eric Sunshine <sunshine@sunshineco.com>
> Signed-off-by: David Aguilar <davvid@gmail.com>
> ---
> Changes since last round:
> COMMON_DIGEST_FOR_OPENSSL is used to enable the compatibility macros.
>
>  Makefile | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/Makefile b/Makefile
> index a0f7afc..29c02ed 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1055,6 +1055,7 @@ ifeq ($(uname_S),Darwin)
>                 endif
>         endif
>         COMMON_DIGEST_HMAC = YesPlease
> +       COMMON_DIGEST_SHA1 = YesPlease
>         NO_REGEX = YesPlease
>         PTHREAD_LIBS =
>  endif
> @@ -1390,10 +1391,15 @@ ifdef PPC_SHA1
>         LIB_OBJS += ppc/sha1.o ppc/sha1ppc.o
>         LIB_H += ppc/sha1.h
>  else
> +ifdef COMMON_DIGEST_SHA1
> +       BASIC_CFLAGS += -DCOMMON_DIGEST_FOR_OPENSSL
> +       SHA1_HEADER = <CommonCrypto/CommonDigest.h>
> +else
>         SHA1_HEADER = <openssl/sha.h>
>         EXTLIBS += $(LIB_4_CRYPTO)
>  endif
>  endif
> +endif
>
>  ifdef COMMON_DIGEST_HMAC
>         BASIC_CFLAGS += -DCOMMON_DIGEST_FOR_HMAC
> --
> 1.8.3.rc1.52.g872cb7b
>

Re: [PATCH v4 3/3] cache.h: eliminate SHA-1 deprecation warnings on OS X 10.8

[David Aguilar]

On Mon, May 13, 2013 at 6:32 AM, Eric Sunshine <sunshine@sunshineco.com> wrote:
> On Mon, May 13, 2013 at 4:23 AM, David Aguilar <davvid@gmail.com> wrote:
>> Mac OS X Mountain Lion prints warnings when building git:
>>
>>         warning: 'SHA1_Init' is deprecated
>>         (declared at /usr/include/openssl/sha.h:121)
>>
>> Silence the warnings by using the CommonCrytpo SHA-1
>> functions for SHA1_Init(), SHA1_Update(), and SHA1_Final().
>>
>> Add a COMMON_DIGEST_SHA1 option to the Makefile to allow
>> choosing this implementation and define it by default on Darwin.
>
> The approach of adding a Makefile option for each CommonCrypto
> facility does not really scale well. For instance, these days, I
> generally build git against OpenSSL from MacPorts, which gives me a
> warning-free git build since MacPorts/OpenSSL lacks those
> Apple-specific deprecation flags. With this patch series introducing
> several Makefile knobs, people wishing to use MacPorts/OpenSSL will
> have to tweak each knob. These patches already introduce two knobs
> (COMMON_DIGEST_SHA1, COMMON_DIGEST_HMAC). Adding more knobs to silence
> the remaining 29 deprecation warnings will make the build more
> cumbersome for those who prefer OpenSSL. Instead, introducing a single
> knob (such as APPLE_COMMON_CRYPTO) would avoid this problem.

That sounds like a good idea.  In the very least these patches should
be redone to do that.

> More generally, is the approach of trying to figure out CommonCrypto
> replacements for DIGEST, HMAC, and the other 29 warnings worthwhile?
> After all, Apple introduced deprecation warnings due to the
> ABI-instability of OpenSSL, not due to any particular flaw in OpenSSL
> or its API. A more manageable approach might simply be to disable that
> particular warning on Darwin (via CFLAGS or perhaps '#pragma GCC
> diagnostic ignored' for more fine-grained control).

My only fear would be that these deprecation warnings would one day
become errors due to the functions being removed.  I don't know how
else to interpret "deprecated".

If we can accomplish the same thing without deprecated APIs (and not
harm other platforms) then that is a good thing.  I doubt we can find
1:1 replacements.  It'll probably have to be fleshed out in compat/.

Warnings in 1 file (imap-send.c) is much better than warnings in 20
files (git grep -l SHA1_Final), which is the itch I'm currently
scratching.  I'll be mindful of making sure that the users can still
plug in their own compliant OpenSSL.
--
David