From patchwork Thu Jun 21 15:49:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rosen Penev X-Patchwork-Id: 377 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id My4UENdVLFvhKAAAIUCqbw for ; Thu, 21 Jun 2018 21:50:15 -0400 Received: from proxy15.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net (Dovecot) with LMTP id M7rTD9dVLFtwPwAAalYnBA ; Thu, 21 Jun 2018 21:50:15 -0400 Received: from smtp39.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.ord1d.rsapps.net with LMTP id 0LWDD9dVLFteHQAAAY1PeQ ; Thu, 21 Jun 2018 21:50:15 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 9b368b98-75be-11e8-96c9-525400a97bbc-1-1 Received: from [216.105.38.7] ([216.105.38.7:39292] helo=lists.sourceforge.net) by smtp39.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EC/87-00418-6D55C2B5; Thu, 21 Jun 2018 21:50:15 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fWBCP-0006au-Bx; Fri, 22 Jun 2018 01:49:17 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fWBCN-0006an-HV for openvpn-devel@lists.sourceforge.net; Fri, 22 Jun 2018 01:49:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=w9lLhgak+m04+c3sB0IF+/dV49zSv0wP6vUk5Myy6Jc=; b=F+06TUJ/oifA3q2nPGnYSAPsxj 9dqw3QuQ363grgqglnF2cl3z2LFRgeq7YvH7Y07wchKy04+vsBv+CQtUJnPAcJXV5ZI5Bl2W40/Wu PRpUUKk9H2guL1WMuhBrLCevjvO7PFfS5KssGdeldU98RPgmw6Q8btJHDOljmLi/QEIg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=w9lLhgak+m04+c3sB0IF+/dV49zSv0wP6vUk5Myy6Jc=; b=QCRlAHiFCeJkQ4VmTKNLUJPxw/ 8e6mgkAsJCus4iQQvkZzSt4qVHzYTBhiiWy7Beh4opIK+U+Gftrpx13ZPgxOJPdfaZ0la0MLbpcW8 nQR0H0ihgbs2zdhpTa3ooD/5owDZPQJjQaDxm1j7rpeTGsZJJADS7w/cre3MdH/fqTI4=; Received: from mail-pf0-f194.google.com ([209.85.192.194]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1fWBCL-002vKu-Rx for openvpn-devel@lists.sourceforge.net; Fri, 22 Jun 2018 01:49:15 +0000 Received: by mail-pf0-f194.google.com with SMTP id b17-v6so2414669pfi.0 for ; Thu, 21 Jun 2018 18:49:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=w9lLhgak+m04+c3sB0IF+/dV49zSv0wP6vUk5Myy6Jc=; b=OoL2nasVmtq47tf+8x7Trp/DwdJAbvCLqZ1w+ghZaCaskQVy3d98xF+t47KjtA9HOw g3dHxxOn3jtQtnXMgVipv884yeJKF8Gy14mTRr1HHjRs8w0OlINZ7Z7OBcbdoTEdr6mD uCCqcnqBOy8wueYKIv5Q3KiHKAH7jy+W9nu5MZ0s+OI2JaiupyJWCZQIp4GVEUSTiCrt JBPYkgjXusZlN/IeHbyIxAjyNF7a5cYTq5DXdTcwzsORrrIWjI7xE4DjAHSnZ8aDrVFi 5qQ86wByvSik5xZKBEXPWs9M340X5QFEaCrCkV/ZTCerT8cEtCkhCV3h3WBw2dTVX0u5 DAug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=w9lLhgak+m04+c3sB0IF+/dV49zSv0wP6vUk5Myy6Jc=; b=hDlQuqdbcw6wudW2HsPTSZj6C4rGrfItmE1yUuHHcOow5fiNAiUDUTQUh6VmcR6wzg Uhjc2PYmPSZwUf/E0KAbXuPIDeVXfVlW15TMrMYZ/xiL5XifI8xCBVOiJmkRwAsy7d2t 7rad8GdXspidNyh1K43gIDAdwvrzwOZgEFZ6Wz2ffPN5qViCEFIO4z0l55Wmwge3Q2Mb PgqnKeB+KlMaK1cnq0KvPRjMAfOIGp+O5YyowGKPjQpXYJaz7Fu9RMiQmg1k6nIsyLXL LeKIGie10lT4uPFqed7demSI14N1mvAS9tyM/rljbuHytcrP3iBJOG6ojgigJse1w+hS zllw== X-Gm-Message-State: APt69E3VTKA21OZ1nQiU22KK48pUUs6kSl9+qru6BeHhpRn2vnBK4Etz kcT1b3ewfH2AKOErTk6TNxjAQrM8 X-Google-Smtp-Source: ADUXVKJjvJk5IenLgjhHVSbUYUa9tjyICwxFyvbMEhd3fyjECM7jjlRHyozKtWOtJrTUyJghwPtfGg== X-Received: by 2002:a65:4e82:: with SMTP id b2-v6mr3323643pgs.438.1529632147944; Thu, 21 Jun 2018 18:49:07 -0700 (PDT) Received: from clevo-mangix.lan (astound-69-42-1-138.ca.astound.net. [69.42.1.138]) by smtp.gmail.com with ESMTPSA id d6-v6sm7931256pgc.38.2018.06.21.18.49.07 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 21 Jun 2018 18:49:07 -0700 (PDT) From: Rosen Penev To: openvpn-devel@lists.sourceforge.net Date: Thu, 21 Jun 2018 18:49:05 -0700 Message-Id: <20180622014905.21558-1-rosenp@gmail.com> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (rosenp[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.192.194 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.192.194 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1fWBCL-002vKu-Rx Subject: [Openvpn-devel] [PATCH] openvpn: Add missing OpenSSL includes X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox These get included when deprecated APIs are enabled. This is true on at least version 1.0.2 and 1.1.0. Without deprecated APIs, OpenVPN fails to compile. Signed-off-by: Rosen Penev --- ...ilation-with-deprecated-APIs-disable.patch | 148 ++++++++++++++++++ src/openvpn/ssl_openssl.c | 9 ++ src/openvpn/ssl_verify_openssl.c | 1 + 3 files changed, 158 insertions(+) create mode 100644 src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch diff --git a/src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch b/src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch new file mode 100644 index 00000000..11adff21 --- /dev/null +++ b/src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch @@ -0,0 +1,148 @@ +From f581a10cbf5b40afbee2d9fc9454ce12e1611668 Mon Sep 17 00:00:00 2001 +From: Rosen Penev +Date: Tue, 19 Jun 2018 21:44:57 -0700 +Subject: [PATCH] OpenSSL: Fix compilation with deprecated APIs disabled on 1.1 + +Signed-off-by: Rosen Penev +--- + src/openvpn/crypto_openssl.c | 9 +++++++++ + src/openvpn/ssl_openssl.c | 32 +++++++++++++++++++++++++++++++- + src/openvpn/ssl_verify_openssl.c | 1 + + 3 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c +index 4fb2f6d6..816d8002 100644 +--- a/src/openvpn/crypto_openssl.c ++++ b/src/openvpn/crypto_openssl.c +@@ -670,11 +670,16 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, + { + ASSERT(NULL != kt && NULL != ctx); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX_init(ctx); ++#else ++ EVP_CIPHER_CTX_new(); ++#endif + if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) + { + crypto_msg(M_FATAL, "EVP cipher init #1"); + } ++ + #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH + if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len)) + { +@@ -693,7 +698,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, + void + cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx) + { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX_cleanup(ctx); ++#else ++ EVP_CIPHER_CTX_free(ctx); ++#endif + } + + int +diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c +index 527a600a..92ed4926 100644 +--- a/src/openvpn/ssl_openssl.c ++++ b/src/openvpn/ssl_openssl.c +@@ -56,6 +56,15 @@ + #include + #include + #include ++#ifndef OPENSSL_NO_DH ++#include ++#endif ++#ifndef OPENSSL_NO_DSA ++#include ++#endif ++#ifndef OPENSSL_NO_RSA ++#include ++#endif + #ifndef OPENSSL_NO_EC + #include + #endif +@@ -71,11 +80,19 @@ int mydata_index; /* GLOBAL */ + void + tls_init_lib(void) + { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_library_init(); ++ OpenSSL_add_all_algorithms(); + #ifndef ENABLE_SMALL + SSL_load_error_strings(); + #endif +- OpenSSL_add_all_algorithms(); ++#else ++#ifndef ENABLE_SMALL ++ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); ++#else ++ OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_SSL_STRINGS, NULL); ++#endif ++#endif + + mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); + ASSERT(mydata_index >= 0); +@@ -84,10 +101,12 @@ tls_init_lib(void) + void + tls_free_lib(void) + { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L //this is no-op in future versions + EVP_cleanup(); + #ifndef ENABLE_SMALL + ERR_free_strings(); + #endif ++#endif + } + + void +@@ -473,6 +492,11 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) + goto cleanup; /* Nothing to check if there is no certificate */ + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#define X509_get_notBefore X509_get0_notBefore ++#define X509_get_notAfter X509_get0_notAfter ++#endif ++ + ret = X509_cmp_time(X509_get_notBefore(cert), NULL); + if (ret == 0) + { +@@ -567,7 +591,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name + #if OPENSSL_VERSION_NUMBER >= 0x10002000L + /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter + * loading */ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_CTX_set_ecdh_auto(ctx->ctx, 1); ++#endif + return; + #else + /* For older OpenSSL we have to extract the curve from key on our own */ +@@ -2037,7 +2063,11 @@ get_highest_preference_tls_cipher(char *buf, int size) + const char * + get_ssl_library_version(void) + { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + return SSLeay_version(SSLEAY_VERSION); ++#else ++ return OpenSSL_version(OPENSSL_VERSION); ++#endif + } + + #endif /* defined(ENABLE_CRYPTO_OPENSSL) */ +diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c +index 9b984751..82460ae7 100644 +--- a/src/openvpn/ssl_verify_openssl.c ++++ b/src/openvpn/ssl_verify_openssl.c +@@ -46,6 +46,7 @@ + + #include + #include ++#include + + int + verify_callback(int preverify_ok, X509_STORE_CTX *ctx) +-- +2.17.1 + diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 527a600a..d9aec9bd 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -56,6 +56,15 @@ #include #include #include +#ifndef OPENSSL_NO_DH +#include +#endif +#ifndef OPENSSL_NO_DSA +#include +#endif +#ifndef OPENSSL_NO_RSA +#include +#endif #ifndef OPENSSL_NO_EC #include #endif diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 9b984751..82460ae7 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -46,6 +46,7 @@ #include #include +#include int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)