[Openvpn-devel] Remove LibreSSL specific defines not needed for modern LibreSSL

Message ID 20210415114541.1001644-1-arne@rfc2549.org
State Accepted
Headers show
Series
  • [Openvpn-devel] Remove LibreSSL specific defines not needed for modern LibreSSL
Related show

Commit Message

Arne Schwabe April 15, 2021, 11:45 a.m.
Most of the functions remove were either already have a version check
against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well
according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto
and SSL_library_init.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_openssl.c | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

Comments

Antonio Quartulli April 15, 2021, 3:47 p.m. | #1
Hi,

On 15/04/2021 13:45, Arne Schwabe wrote:
> Most of the functions remove were either already have a version check
> against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well
> according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto
> and SSL_library_init.
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>

This patch is changing the LibreSSL ifdef logic only, therefore no
functional change is expected for OpenSSL (the only SSL library sharing
code with this patch).

I compile tested with:
* LibreSSL 2.9.3, 3.2.5 and 3.3.0
* OpenSSL 1.0.2, 1.1.0 and 1.1.1

Basic connection test (client connects to server and pings) was
performed with:

* LibreSSL 2.9.3
* OpenSSL 1.0.2

Acked-by: Antonio Quartulli <antonio@openvpn.net>

Regards,
Gert Doering April 17, 2021, 1:02 p.m. | #2
Getting rid of #ifdef is always good :-) - tested on OpenBSD 6.8 ("just
to be sure"), works.

On OpenBSD 6.5, it fails at link time (LibreSSL 2.9.1, RSA_meth_set_pub_enc
and other RSA_meth* functions missing).  So, no more support for that
(already end-of-life) OpenBSD version.

FreeBSD ports now has LibreSSL 3.2.5, so I assume it is not going to 
break anything there (though I have not bothered to test).

Your patch has been applied to the master branch.

commit 2c0ebe0f12c3d7598dd2f604a5a412b68b728ba9
Author: Arne Schwabe
Date:   Thu Apr 15 13:45:41 2021 +0200

     Remove LibreSSL specific defines not needed for modern LibreSSL

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Antonio Quartulli <antonio@openvpn.net>
     Message-Id: <20210415114541.1001644-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22119.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index cb8ac7727..73b51276c 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,7 +76,7 @@  int mydata_index; /* GLOBAL */
 void
 tls_init_lib(void)
 {
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     SSL_library_init();
 #ifndef ENABLE_SMALL
     SSL_load_error_strings();
@@ -90,7 +90,7 @@  tls_init_lib(void)
 void
 tls_free_lib(void)
 {
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     EVP_cleanup();
 #ifndef ENABLE_SMALL
     ERR_free_strings();
@@ -705,7 +705,7 @@  tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
     }
     else
     {
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 
         /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
          * loading */
@@ -1310,9 +1310,7 @@  err:
     return 0;
 }
 
-#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \
-    || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \
-    && !defined(OPENSSL_NO_EC)
+#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
 
 /* called when EC_KEY is destroyed */
 static void
@@ -1457,9 +1455,7 @@  tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
             goto cleanup;
         }
     }
-#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \
-    || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \
-    && !defined(OPENSSL_NO_EC)
+#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
     else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
     {
         if (!tls_ctx_use_external_ec_key(ctx, pkey))
@@ -2147,8 +2143,7 @@  show_available_tls_ciphers_list(const char *cipher_list,
         crypto_msg(M_FATAL, "Cannot create SSL object");
     }
 
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)    \
-    || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2090000fL)
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
     STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
 #else
     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);