From patchwork Tue Jun 19 18:46:50 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rosen Penev <rosenp@gmail.com>
X-Patchwork-Id: 376
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1])
	by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 48DxNYjcKVtbMgAAIUCqbw
	for <patchwork@openvpn.net>; Wed, 20 Jun 2018 00:48:08 -0400
Received: from director5.mail.ord1c.rsapps.net ([172.28.255.1])
	by director12.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 81J4NYjcKVtadwAAIasKDg
	; Wed, 20 Jun 2018 00:48:08 -0400
Received: from smtp40.gate.ord1c ([172.28.255.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by director5.mail.ord1c.rsapps.net with LMTP id YIleNYjcKVt8DQAAH8LYwg
	; Wed, 20 Jun 2018 00:48:08 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp40.gate.ord1c.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=gmail.com;
 dmarc=fail (p=none; dis=none) header.from=gmail.com
X-Suspicious-Flag: YES
X-Classification-ID: 20593724-7445-11e8-9712-525400b3abc9-1-1
Received: from [216.105.38.7] ([216.105.38.7:60310]
 helo=lists.sourceforge.net)
	by smtp40.gate.ord1c.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS
 (cipher=DHE-RSA-AES256-GCM-SHA384)
	id A7/3F-30557-88CD92B5; Wed, 20 Jun 2018 00:48:08 -0400
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1fVV1J-0001ey-Vp; Wed, 20 Jun 2018 04:47:01 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <rosenp@gmail.com>) id 1fVV1I-0001ej-L6
 for openvpn-devel@lists.sourceforge.net; Wed, 20 Jun 2018 04:47:00 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:
 MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=6C/u/qGcfTO+3RqyyvivbfWa1PfK7/XCNFCtR6dTxI0=; b=jqbTFg+cqVLG6vxbb9JRg3qQsU
 bEFZTTsFtejFKwj3jyBFAO8fOlaqFdxRsJuYG2LzHayQle4doL+S+un0a/4VNzb+vRVeVBtcozaOL
 tgqoQm0NcRL0hy1QrvkuRv3dHJ4QchtOLDR+33rRWCJJ/hJRIhk30fXaIc6zNZwDAw0M=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version:
 Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
 Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=6C/u/qGcfTO+3RqyyvivbfWa1PfK7/XCNFCtR6dTxI0=; b=OMQjxtfB6snpH14N38+zPDysY/
 V8vys9wk7gUqg2g0wXuCWCakWRHyIdD4IMnKFXpyBJOqxpztQ6RVqGK01lRZEQX6HgB9vXh/8CZuE
 uG9Ad6BxWCCVEJHDW1NXAJIA1x3kmgvR899eGbkG9Z0YUbPFKEdjIVA49vQqd6FiGI1M=;
Received: from mail-pg0-f68.google.com ([74.125.83.68])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1)
 id 1fVV1G-003Aod-Kt
 for openvpn-devel@lists.sourceforge.net; Wed, 20 Jun 2018 04:47:00 +0000
Received: by mail-pg0-f68.google.com with SMTP id z1-v6so873049pgv.12
 for <openvpn-devel@lists.sourceforge.net>;
 Tue, 19 Jun 2018 21:46:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id;
 bh=6C/u/qGcfTO+3RqyyvivbfWa1PfK7/XCNFCtR6dTxI0=;
 b=cK8aQNtFX2/m7XEnqBGOBB+Iu9I+DSqJ2i7Bnkr3fg1sKGFTzkWMSgw62J6HZwaz2t
 AIPEiltYqDqkVafnpei0RXNtsAHwZ5S6Y38ZsNvTYtEviWmK19hmcukwp8x9ORBsem0l
 f2Hd5cuEc+EwvzrcWO2EH9HPKQLyv7M56VukPpvuL+2xdlkjKLh757tBs5xgZaQczWqW
 +WC0FLoGE0DhcbJ35V9FTRXrZVkbEwXNM0c2fKykeueHzT1uMkmdv+yjektC3pEuWPp+
 mwEZbW1M7rVVVo7G0k5ndm/8hY78W3d0T/5Cmb6MohvngDOGZLsc8APWZNkAvyfScB3w
 QINw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id;
 bh=6C/u/qGcfTO+3RqyyvivbfWa1PfK7/XCNFCtR6dTxI0=;
 b=nYIw9lgfGL0/Dc68gC8hYHEfAs5zgQm/qzXEG+wO9ZjHhLvN/sDEd3ejIV+19kMU7n
 6i+OxcLPAr11+VvSi2IpBI82x4c03DpYFFsUYHAewLkZVyOYDbNLBCB6rptNxNz4KAyn
 H+LMheHWHf/I+7XgRXi8szxebDvgTfJy2ZarQy5WCSANfhasCpyCYbLPx0hoTOCTtrwS
 7eXS/Y10IPCcKLVRRlELPS3JPrzzJyTRQ6narAZa1waQZUihPYg6OnAcDfv5Ofs2UEY3
 F+fH48CQEgd+4yY8SzLwv1eRjeiBd3xa4AIwld+0H8LI74AYJex75DwKnRN+hGg7DzkH
 w9JQ==
X-Gm-Message-State: APt69E06DpMK0xHTG63WcM1UzRdsqxKOro4MqdYSarsj5FReNXHZCVVO
 5Yv4gDhkx9t4V+BfIzmcab5o6bUA
X-Google-Smtp-Source: 
 ADUXVKJiofXZxQXBs7j+D2kelzSe+glD/K/rkhVaWslIO6ZzZG4fig38FrpWZXo0LcAoxODfSt6QAg==
X-Received: by 2002:a62:9fd1:: with SMTP id
 v78-v6mr20963979pfk.233.1529470012751;
 Tue, 19 Jun 2018 21:46:52 -0700 (PDT)
Received: from clevo-mangix.lan ([2001:470:1f05:c3e::2bd])
 by smtp.gmail.com with ESMTPSA id w3-v6sm1915289pfi.109.2018.06.19.21.46.51
 for <openvpn-devel@lists.sourceforge.net>
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Tue, 19 Jun 2018 21:46:52 -0700 (PDT)
From: Rosen Penev <rosenp@gmail.com>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 19 Jun 2018 21:46:50 -0700
Message-Id: <20180620044650.18041-1-rosenp@gmail.com>
X-Mailer: git-send-email 2.17.1
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 (rosenp[at]gmail.com)
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
 trust [74.125.83.68 listed in list.dnswl.org]
 -0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [74.125.83.68 listed in wl.mailspike.net]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-Headers-End: 1fVV1G-003Aod-Kt
Subject: [Openvpn-devel] [PATCH] OpenSSL: Fix compilation with deprecated
 APIs disabled on 1.1
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
 src/openvpn/crypto_openssl.c     |  9 +++++++++
 src/openvpn/ssl_openssl.c        | 32 +++++++++++++++++++++++++++++++-
 src/openvpn/ssl_verify_openssl.c |  1 +
 3 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 4fb2f6d6..816d8002 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -670,11 +670,16 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len,
 {
     ASSERT(NULL != kt && NULL != ctx);
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     EVP_CIPHER_CTX_init(ctx);
+#else
+    EVP_CIPHER_CTX_new();
+#endif
     if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
     {
         crypto_msg(M_FATAL, "EVP cipher init #1");
     }
+
 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
     if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len))
     {
@@ -693,7 +698,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len,
 void
 cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     EVP_CIPHER_CTX_cleanup(ctx);
+#else
+    EVP_CIPHER_CTX_free(ctx);
+#endif
 }
 
 int
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 527a600a..92ed4926 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -56,6 +56,15 @@
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
 #include <openssl/crypto.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
 #ifndef OPENSSL_NO_EC
 #include <openssl/ec.h>
 #endif
@@ -71,11 +80,19 @@ int mydata_index; /* GLOBAL */
 void
 tls_init_lib(void)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     SSL_library_init();
+    OpenSSL_add_all_algorithms();
 #ifndef ENABLE_SMALL
     SSL_load_error_strings();
 #endif
-    OpenSSL_add_all_algorithms();
+#else
+#ifndef ENABLE_SMALL
+    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
+#else
+    OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_SSL_STRINGS, NULL);
+#endif
+#endif
 
     mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL);
     ASSERT(mydata_index >= 0);
@@ -84,10 +101,12 @@ tls_init_lib(void)
 void
 tls_free_lib(void)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L //this is no-op in future versions
     EVP_cleanup();
 #ifndef ENABLE_SMALL
     ERR_free_strings();
 #endif
+#endif
 }
 
 void
@@ -473,6 +492,11 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
         goto cleanup; /* Nothing to check if there is no certificate */
     }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#define X509_get_notBefore    X509_get0_notBefore
+#define X509_get_notAfter     X509_get0_notAfter
+#endif
+
     ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
     if (ret == 0)
     {
@@ -567,7 +591,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
         /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
          * loading */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
         SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
+#endif
         return;
 #else
         /* For older OpenSSL we have to extract the curve from key on our own */
@@ -2037,7 +2063,11 @@ get_highest_preference_tls_cipher(char *buf, int size)
 const char *
 get_ssl_library_version(void)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     return SSLeay_version(SSLEAY_VERSION);
+#else
+    return OpenSSL_version(OPENSSL_VERSION);
+#endif
 }
 
 #endif /* defined(ENABLE_CRYPTO_OPENSSL) */
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 9b984751..82460ae7 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -46,6 +46,7 @@
 
 #include <openssl/x509v3.h>
 #include <openssl/err.h>
+#include <openssl/bn.h>
 
 int
 verify_callback(int preverify_ok, X509_STORE_CTX *ctx)