[Openvpn-devel] Remove LibreSSL specific defines not needed for modern LibreSSL
Commit Message
Most of the functions remove were either already have a version check
against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well
according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto
and SSL_library_init.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
src/openvpn/ssl_openssl.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
Comments
Hi,
On 15/04/2021 13:45, Arne Schwabe wrote:
> Most of the functions remove were either already have a version check
> against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well
> according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto
> and SSL_library_init.
>
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
This patch is changing the LibreSSL ifdef logic only, therefore no
functional change is expected for OpenSSL (the only SSL library sharing
code with this patch).
I compile tested with:
* LibreSSL 2.9.3, 3.2.5 and 3.3.0
* OpenSSL 1.0.2, 1.1.0 and 1.1.1
Basic connection test (client connects to server and pings) was
performed with:
* LibreSSL 2.9.3
* OpenSSL 1.0.2
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Regards,
Getting rid of #ifdef is always good :-) - tested on OpenBSD 6.8 ("just
to be sure"), works.
On OpenBSD 6.5, it fails at link time (LibreSSL 2.9.1, RSA_meth_set_pub_enc
and other RSA_meth* functions missing). So, no more support for that
(already end-of-life) OpenBSD version.
FreeBSD ports now has LibreSSL 3.2.5, so I assume it is not going to
break anything there (though I have not bothered to test).
Your patch has been applied to the master branch.
commit 2c0ebe0f12c3d7598dd2f604a5a412b68b728ba9
Author: Arne Schwabe
Date: Thu Apr 15 13:45:41 2021 +0200
Remove LibreSSL specific defines not needed for modern LibreSSL
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210415114541.1001644-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22119.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
@@ -76,7 +76,7 @@ int mydata_index; /* GLOBAL */
void
tls_init_lib(void)
{
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_library_init();
#ifndef ENABLE_SMALL
SSL_load_error_strings();
@@ -90,7 +90,7 @@ tls_init_lib(void)
void
tls_free_lib(void)
{
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_cleanup();
#ifndef ENABLE_SMALL
ERR_free_strings();
@@ -705,7 +705,7 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
}
else
{
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
* loading */
@@ -1310,9 +1310,7 @@ err:
return 0;
}
-#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \
- || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \
- && !defined(OPENSSL_NO_EC)
+#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
/* called when EC_KEY is destroyed */
static void
@@ -1457,9 +1455,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
goto cleanup;
}
}
-#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \
- || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \
- && !defined(OPENSSL_NO_EC)
+#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
{
if (!tls_ctx_use_external_ec_key(ctx, pkey))
@@ -2147,8 +2143,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
crypto_msg(M_FATAL, "Cannot create SSL object");
}
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) \
- || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2090000fL)
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
#else
STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);