Message ID | 20190724152934.9884-1-arne@rfc2549.org |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,v3] openssl: Fix compilation without deprecated OpenSSL 1.1 APIs | expand |
On Wed, Jul 24, 2019 at 8:29 AM Arne Schwabe <arne@rfc2549.org> wrote: > > From: Rosen Penev <rosenp@gmail.com> > > EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were > replaced with _reset. > > EVP_CIPHER_CTX_free in OpenSSL 1.1 replaces the cleanup/free combo of > earlier OpenSSL version. And OpenSSL 1.0.2 already calls cleanup as part > of _free. > > Therefore we can remove the _cleanup calls and use the OpenSSL 1.1. API > everywhere. > > Also removed initialisation with OpenSSL 1.1 as it is no longer > needed and causes compilation errors when disabling deprecated APIs. > > Same with SSL_CTX_set_ecdh_auto as it got removed. > > Patch V3: Use EVP_CIPHER_CTX_reset instead of init/cleanup > > Signed-off-by: Rosen Penev <rosenp@gmail.com> > Signed-off-by: Arne Schwabe <arne@rfc2549.org> ACK > --- > configure.ac | 3 +++ > src/openvpn/crypto.c | 1 - > src/openvpn/crypto_backend.h | 9 +-------- > src/openvpn/crypto_mbedtls.c | 7 +------ > src/openvpn/crypto_openssl.c | 8 +------- > src/openvpn/openssl_compat.h | 12 ++++++++++++ > src/openvpn/ssl_openssl.c | 18 ++++++++++++------ > 7 files changed, 30 insertions(+), 28 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 59673e04..b8e2476f 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -918,10 +918,13 @@ if test "${with_crypto_library}" = "openssl"; then > EVP_MD_CTX_new \ > EVP_MD_CTX_free \ > EVP_MD_CTX_reset \ > + EVP_CIPHER_CTX_reset \ > OpenSSL_version \ > SSL_CTX_get_default_passwd_cb \ > SSL_CTX_get_default_passwd_cb_userdata \ > SSL_CTX_set_security_level \ > + X509_get0_notBefore \ > + X509_get0_notAfter \ > X509_get0_pubkey \ > X509_STORE_get0_objects \ > X509_OBJECT_free \ > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index 8a92a8c1..585bfbc6 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -906,7 +906,6 @@ free_key_ctx(struct key_ctx *ctx) > { > if (ctx->cipher) > { > - cipher_ctx_cleanup(ctx->cipher); > cipher_ctx_free(ctx->cipher); > ctx->cipher = NULL; > } > diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h > index 7e9a4bd2..d119442f 100644 > --- a/src/openvpn/crypto_backend.h > +++ b/src/openvpn/crypto_backend.h > @@ -341,7 +341,7 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher); > cipher_ctx_t *cipher_ctx_new(void); > > /** > - * Free a cipher context > + * Cleanup and free a cipher context > * > * @param ctx Cipher context. > */ > @@ -360,13 +360,6 @@ void cipher_ctx_free(cipher_ctx_t *ctx); > void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, int key_len, > const cipher_kt_t *kt, int enc); > > -/** > - * Cleanup the specified context. > - * > - * @param ctx Cipher context to cleanup. > - */ > -void cipher_ctx_cleanup(cipher_ctx_t *ctx); > - > /** > * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is > * used. > diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c > index 2e931440..f924323d 100644 > --- a/src/openvpn/crypto_mbedtls.c > +++ b/src/openvpn/crypto_mbedtls.c > @@ -616,12 +616,6 @@ cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key, int key_len, > ASSERT(ctx->key_bitlen <= key_len*8); > } > > -void > -cipher_ctx_cleanup(mbedtls_cipher_context_t *ctx) > -{ > - mbedtls_cipher_free(ctx); > -} > - > int > cipher_ctx_iv_length(const mbedtls_cipher_context_t *ctx) > { > @@ -861,6 +855,7 @@ md_ctx_new(void) > void > md_ctx_free(mbedtls_md_context_t *ctx) > { > + mbedtls_cipher_free(ctx); > free(ctx); > } > > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > index c049e52d..520e40ee 100644 > --- a/src/openvpn/crypto_openssl.c > +++ b/src/openvpn/crypto_openssl.c > @@ -772,7 +772,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, > { > ASSERT(NULL != kt && NULL != ctx); > > - EVP_CIPHER_CTX_init(ctx); > + EVP_CIPHER_CTX_reset(ctx); > if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) > { > crypto_msg(M_FATAL, "EVP cipher init #1"); > @@ -792,12 +792,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, > ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= key_len); > } > > -void > -cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx) > -{ > - EVP_CIPHER_CTX_cleanup(ctx); > -} > - > int > cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx) > { > diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h > index a4072b9a..4ac8f24d 100644 > --- a/src/openvpn/openssl_compat.h > +++ b/src/openvpn/openssl_compat.h > @@ -89,6 +89,18 @@ EVP_MD_CTX_new(void) > } > #endif > > +#if !defined(HAVE_EVP_CIPHER_CTX_RESET) > +#define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_init > +#endif > + > +#if !defined(HAVE_X509_GET0_NOTBEFORE) > +#define X509_get0_notBefore X509_get_notBefore > +#endif > + > +#if !defined(HAVE_X509_GET0_NOTAFTER) > +#define X509_get0_notAfter X509_get_notAfter > +#endif > + > #if !defined(HAVE_HMAC_CTX_RESET) > /** > * Reset a HMAC context > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index 05ca4113..c029d0f2 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */ > void > tls_init_lib(void) > { > +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) > SSL_library_init(); > -#ifndef ENABLE_SMALL > +# ifndef ENABLE_SMALL > SSL_load_error_strings(); > -#endif > +# endif > OpenSSL_add_all_algorithms(); > - > +#endif > mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); > ASSERT(mydata_index >= 0); > } > @@ -89,9 +90,11 @@ tls_init_lib(void) > void > tls_free_lib(void) > { > +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) > EVP_cleanup(); > -#ifndef ENABLE_SMALL > +# ifndef ENABLE_SMALL > ERR_free_strings(); > +# endif > #endif > } > > @@ -567,7 +570,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) > goto cleanup; /* Nothing to check if there is no certificate */ > } > > - ret = X509_cmp_time(X509_get_notBefore(cert), NULL); > + ret = X509_cmp_time(X509_get0_notBefore(cert), NULL); > if (ret == 0) > { > msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); > @@ -577,7 +580,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) > msg(M_WARN, "WARNING: Your certificate is not yet valid!"); > } > > - ret = X509_cmp_time(X509_get_notAfter(cert), NULL); > + ret = X509_cmp_time(X509_get0_notAfter(cert), NULL); > if (ret == 0) > { > msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); > @@ -660,10 +663,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name > else > { > #if OPENSSL_VERSION_NUMBER >= 0x10002000L > +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) > + > /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter > * loading */ > SSL_CTX_set_ecdh_auto(ctx->ctx, 1); > return; > +#endif > #else > /* For older OpenSSL we have to extract the curve from key on our own */ > EC_KEY *eckey = NULL; > -- > 2.22.0 >
On 24-07-19 17:29, Arne Schwabe wrote: > From: Rosen Penev <rosenp@gmail.com> > > EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were > replaced with _reset. > > EVP_CIPHER_CTX_free in OpenSSL 1.1 replaces the cleanup/free combo of > earlier OpenSSL version. And OpenSSL 1.0.2 already calls cleanup as part > of _free. > > Therefore we can remove the _cleanup calls and use the OpenSSL 1.1. API > everywhere. > > Also removed initialisation with OpenSSL 1.1 as it is no longer > needed and causes compilation errors when disabling deprecated APIs. > > Same with SSL_CTX_set_ecdh_auto as it got removed. > > Patch V3: Use EVP_CIPHER_CTX_reset instead of init/cleanup > > Signed-off-by: Rosen Penev <rosenp@gmail.com> > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > --- > configure.ac | 3 +++ > src/openvpn/crypto.c | 1 - > src/openvpn/crypto_backend.h | 9 +-------- > src/openvpn/crypto_mbedtls.c | 7 +------ > src/openvpn/crypto_openssl.c | 8 +------- > src/openvpn/openssl_compat.h | 12 ++++++++++++ > src/openvpn/ssl_openssl.c | 18 ++++++++++++------ > 7 files changed, 30 insertions(+), 28 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 59673e04..b8e2476f 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -918,10 +918,13 @@ if test "${with_crypto_library}" = "openssl"; then > EVP_MD_CTX_new \ > EVP_MD_CTX_free \ > EVP_MD_CTX_reset \ > + EVP_CIPHER_CTX_reset \ > OpenSSL_version \ > SSL_CTX_get_default_passwd_cb \ > SSL_CTX_get_default_passwd_cb_userdata \ > SSL_CTX_set_security_level \ > + X509_get0_notBefore \ > + X509_get0_notAfter \ > X509_get0_pubkey \ > X509_STORE_get0_objects \ > X509_OBJECT_free \ > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index 8a92a8c1..585bfbc6 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -906,7 +906,6 @@ free_key_ctx(struct key_ctx *ctx) > { > if (ctx->cipher) > { > - cipher_ctx_cleanup(ctx->cipher); > cipher_ctx_free(ctx->cipher); > ctx->cipher = NULL; > } > diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h > index 7e9a4bd2..d119442f 100644 > --- a/src/openvpn/crypto_backend.h > +++ b/src/openvpn/crypto_backend.h > @@ -341,7 +341,7 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher); > cipher_ctx_t *cipher_ctx_new(void); > > /** > - * Free a cipher context > + * Cleanup and free a cipher context > * > * @param ctx Cipher context. > */ > @@ -360,13 +360,6 @@ void cipher_ctx_free(cipher_ctx_t *ctx); > void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, int key_len, > const cipher_kt_t *kt, int enc); > > -/** > - * Cleanup the specified context. > - * > - * @param ctx Cipher context to cleanup. > - */ > -void cipher_ctx_cleanup(cipher_ctx_t *ctx); > - > /** > * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is > * used. > diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c > index 2e931440..f924323d 100644 > --- a/src/openvpn/crypto_mbedtls.c > +++ b/src/openvpn/crypto_mbedtls.c > @@ -616,12 +616,6 @@ cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key, int key_len, > ASSERT(ctx->key_bitlen <= key_len*8); > } > > -void > -cipher_ctx_cleanup(mbedtls_cipher_context_t *ctx) > -{ > - mbedtls_cipher_free(ctx); > -} > - > int > cipher_ctx_iv_length(const mbedtls_cipher_context_t *ctx) > { > @@ -861,6 +855,7 @@ md_ctx_new(void) > void > md_ctx_free(mbedtls_md_context_t *ctx) > { > + mbedtls_cipher_free(ctx); > free(ctx); > } > > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > index c049e52d..520e40ee 100644 > --- a/src/openvpn/crypto_openssl.c > +++ b/src/openvpn/crypto_openssl.c > @@ -772,7 +772,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, > { > ASSERT(NULL != kt && NULL != ctx); > > - EVP_CIPHER_CTX_init(ctx); > + EVP_CIPHER_CTX_reset(ctx); > if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) > { > crypto_msg(M_FATAL, "EVP cipher init #1"); > @@ -792,12 +792,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, > ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= key_len); > } > > -void > -cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx) > -{ > - EVP_CIPHER_CTX_cleanup(ctx); > -} > - > int > cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx) > { > diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h > index a4072b9a..4ac8f24d 100644 > --- a/src/openvpn/openssl_compat.h > +++ b/src/openvpn/openssl_compat.h > @@ -89,6 +89,18 @@ EVP_MD_CTX_new(void) > } > #endif > > +#if !defined(HAVE_EVP_CIPHER_CTX_RESET) > +#define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_init > +#endif > + > +#if !defined(HAVE_X509_GET0_NOTBEFORE) > +#define X509_get0_notBefore X509_get_notBefore > +#endif > + > +#if !defined(HAVE_X509_GET0_NOTAFTER) > +#define X509_get0_notAfter X509_get_notAfter > +#endif > + > #if !defined(HAVE_HMAC_CTX_RESET) > /** > * Reset a HMAC context > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > index 05ca4113..c029d0f2 100644 > --- a/src/openvpn/ssl_openssl.c > +++ b/src/openvpn/ssl_openssl.c > @@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */ > void > tls_init_lib(void) > { > +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) > SSL_library_init(); > -#ifndef ENABLE_SMALL > +# ifndef ENABLE_SMALL > SSL_load_error_strings(); > -#endif > +# endif > OpenSSL_add_all_algorithms(); > - > +#endif > mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); > ASSERT(mydata_index >= 0); > } > @@ -89,9 +90,11 @@ tls_init_lib(void) > void > tls_free_lib(void) > { > +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) > EVP_cleanup(); > -#ifndef ENABLE_SMALL > +# ifndef ENABLE_SMALL > ERR_free_strings(); > +# endif > #endif > } > > @@ -567,7 +570,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) > goto cleanup; /* Nothing to check if there is no certificate */ > } > > - ret = X509_cmp_time(X509_get_notBefore(cert), NULL); > + ret = X509_cmp_time(X509_get0_notBefore(cert), NULL); > if (ret == 0) > { > msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); > @@ -577,7 +580,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) > msg(M_WARN, "WARNING: Your certificate is not yet valid!"); > } > > - ret = X509_cmp_time(X509_get_notAfter(cert), NULL); > + ret = X509_cmp_time(X509_get0_notAfter(cert), NULL); > if (ret == 0) > { > msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); > @@ -660,10 +663,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name > else > { > #if OPENSSL_VERSION_NUMBER >= 0x10002000L > +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) > + > /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter > * loading */ > SSL_CTX_set_ecdh_auto(ctx->ctx, 1); > return; > +#endif > #else > /* For older OpenSSL we have to extract the curve from key on our own */ > EC_KEY *eckey = NULL; > Code looks good, verified that TLS connections still works with mbedtls and openssl builds. Acked-by: Steffan Karger <steffan@karger.me> -Steffan
Your patch has been applied to the master branch. Is this also suitable for release/2.4? "You folks tell me, I do the cherry-picking" (if it applies) :-) I have removed the extra spaces in "# if" constructs, as this is not something we use elsewhere on nested CPP expressions (it came up in the discussion, but was still part of this patch). Tested lightly with openssl 1.0.2o and 1.1.1. commit 8a01147ff77e4ae2e377744b89fbe4b6841b2bb0 (master) Author: Rosen Penev Date: Wed Jul 24 17:29:34 2019 +0200 openssl: Fix compilation without deprecated OpenSSL 1.1 APIs Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Rosen Penev <rosenp@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20190724152934.9884-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18700.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
On Fri, Aug 16, 2019 at 12:31 PM Gert Doering <gert@greenie.muc.de> wrote: > > Your patch has been applied to the master branch. > > Is this also suitable for release/2.4? "You folks tell me, I do the > cherry-picking" (if it applies) :-) 2.4 is what I did my testing on, so yes. > > I have removed the extra spaces in "# if" constructs, as this is not > something we use elsewhere on nested CPP expressions (it came up in the > discussion, but was still part of this patch). > > Tested lightly with openssl 1.0.2o and 1.1.1. > > commit 8a01147ff77e4ae2e377744b89fbe4b6841b2bb0 (master) > Author: Rosen Penev > Date: Wed Jul 24 17:29:34 2019 +0200 > > openssl: Fix compilation without deprecated OpenSSL 1.1 APIs > > Signed-off-by: Rosen Penev <rosenp@gmail.com> > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Acked-by: Rosen Penev <rosenp@gmail.com> > Acked-by: Steffan Karger <steffan.karger@fox-it.com> > Message-Id: <20190724152934.9884-1-arne@rfc2549.org> > URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18700.html > Signed-off-by: Gert Doering <gert@greenie.muc.de> > > > -- > kind regards, > > Gert Doering >
Hi, On Fri, Aug 16, 2019 at 09:31:52PM +0200, Gert Doering wrote: > Your patch has been applied to the master branch. > > Is this also suitable for release/2.4? "You folks tell me, I do the > cherry-picking" (if it applies) :-) > > I have removed the extra spaces in "# if" constructs, as this is not > something we use elsewhere on nested CPP expressions (it came up in the > discussion, but was still part of this patch). > > Tested lightly with openssl 1.0.2o and 1.1.1. I should have tested with mbedtls :-/ - buildbot tells me that a good number of platforms have started core dumping on the mbedtls client tests with this commit. *** Error in `../src/openvpn/openvpn': free(): invalid next size (fast): +0x0000000000c74850 *** ./t_client.sh: line 262: 8896 Aborted (core dumped) $RUN_SUDO +"${top_builddir}/src/openvpn/openvpn" $openvpn_conf >> $LOGDIR/$SUF:openvpn.log OpenVPN running with PID 8896 (I have seen this on fedora29 and one of the FreeBSDs, but there is "more red" - more details on mbedTLS versions in use can be provided) Steffan, if you could have a look, this would be most appreciated... gert
Hi, On Fri, Aug 16, 2019 at 12:42:46PM -0700, Rosen Penev wrote: > On Fri, Aug 16, 2019 at 12:31 PM Gert Doering <gert@greenie.muc.de> wrote: > > > > Your patch has been applied to the master branch. > > > > Is this also suitable for release/2.4? "You folks tell me, I do the > > cherry-picking" (if it applies) :-) > 2.4 is what I did my testing on, so yes. So - took me a bit, but here we go. I backported this and the mbedtls explosive patch to release/2.4, for long-term compatibility reasons. commit 416532f8e4125adb7862b2dce5c2d47d85b260df (HEAD -> release/2.4, mattock/re lease/2.4) Author: Antonio Quartulli <a@unstable.cc> Date: Fri Aug 16 22:49:45 2019 +0200 mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free() commit 66b93b5e708b48778a5954fdcfe708b76b947a06 Author: Rosen Penev <rosenp@gmail.com> Date: Wed Jul 24 17:29:34 2019 +0200 openssl: Fix compilation without deprecated OpenSSL 1.1 APIs I've sent the combo to the buildslaves, and no explosions were seen - and besides them, I tested mbedtls 2.17.0, OpenSSL 1.1.1 and OpenSSL 1.0.2o locally (no explosions either). Good to go... :-) gert
diff --git a/configure.ac b/configure.ac index 59673e04..b8e2476f 100644 --- a/configure.ac +++ b/configure.ac @@ -918,10 +918,13 @@ if test "${with_crypto_library}" = "openssl"; then EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ + EVP_CIPHER_CTX_reset \ OpenSSL_version \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ SSL_CTX_set_security_level \ + X509_get0_notBefore \ + X509_get0_notAfter \ X509_get0_pubkey \ X509_STORE_get0_objects \ X509_OBJECT_free \ diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 8a92a8c1..585bfbc6 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -906,7 +906,6 @@ free_key_ctx(struct key_ctx *ctx) { if (ctx->cipher) { - cipher_ctx_cleanup(ctx->cipher); cipher_ctx_free(ctx->cipher); ctx->cipher = NULL; } diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 7e9a4bd2..d119442f 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -341,7 +341,7 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher); cipher_ctx_t *cipher_ctx_new(void); /** - * Free a cipher context + * Cleanup and free a cipher context * * @param ctx Cipher context. */ @@ -360,13 +360,6 @@ void cipher_ctx_free(cipher_ctx_t *ctx); void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, int key_len, const cipher_kt_t *kt, int enc); -/** - * Cleanup the specified context. - * - * @param ctx Cipher context to cleanup. - */ -void cipher_ctx_cleanup(cipher_ctx_t *ctx); - /** * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is * used. diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 2e931440..f924323d 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -616,12 +616,6 @@ cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key, int key_len, ASSERT(ctx->key_bitlen <= key_len*8); } -void -cipher_ctx_cleanup(mbedtls_cipher_context_t *ctx) -{ - mbedtls_cipher_free(ctx); -} - int cipher_ctx_iv_length(const mbedtls_cipher_context_t *ctx) { @@ -861,6 +855,7 @@ md_ctx_new(void) void md_ctx_free(mbedtls_md_context_t *ctx) { + mbedtls_cipher_free(ctx); free(ctx); } diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index c049e52d..520e40ee 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -772,7 +772,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); - EVP_CIPHER_CTX_init(ctx); + EVP_CIPHER_CTX_reset(ctx); if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #1"); @@ -792,12 +792,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= key_len); } -void -cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx) -{ - EVP_CIPHER_CTX_cleanup(ctx); -} - int cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx) { diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index a4072b9a..4ac8f24d 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -89,6 +89,18 @@ EVP_MD_CTX_new(void) } #endif +#if !defined(HAVE_EVP_CIPHER_CTX_RESET) +#define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_init +#endif + +#if !defined(HAVE_X509_GET0_NOTBEFORE) +#define X509_get0_notBefore X509_get_notBefore +#endif + +#if !defined(HAVE_X509_GET0_NOTAFTER) +#define X509_get0_notAfter X509_get_notAfter +#endif + #if !defined(HAVE_HMAC_CTX_RESET) /** * Reset a HMAC context diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 05ca4113..c029d0f2 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */ void tls_init_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) SSL_library_init(); -#ifndef ENABLE_SMALL +# ifndef ENABLE_SMALL SSL_load_error_strings(); -#endif +# endif OpenSSL_add_all_algorithms(); - +#endif mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); ASSERT(mydata_index >= 0); } @@ -89,9 +90,11 @@ tls_init_lib(void) void tls_free_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) EVP_cleanup(); -#ifndef ENABLE_SMALL +# ifndef ENABLE_SMALL ERR_free_strings(); +# endif #endif } @@ -567,7 +570,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) goto cleanup; /* Nothing to check if there is no certificate */ } - ret = X509_cmp_time(X509_get_notBefore(cert), NULL); + ret = X509_cmp_time(X509_get0_notBefore(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); @@ -577,7 +580,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) msg(M_WARN, "WARNING: Your certificate is not yet valid!"); } - ret = X509_cmp_time(X509_get_notAfter(cert), NULL); + ret = X509_cmp_time(X509_get0_notAfter(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); @@ -660,10 +663,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name else { #if OPENSSL_VERSION_NUMBER >= 0x10002000L +#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) + /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter * loading */ SSL_CTX_set_ecdh_auto(ctx->ctx, 1); return; +#endif #else /* For older OpenSSL we have to extract the curve from key on our own */ EC_KEY *eckey = NULL;