From patchwork Wed Apr  3 11:56:57 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rosen Penev <rosenp@gmail.com>
X-Patchwork-Id: 713
X-Patchwork-Delegate: arne-openvpn@rfc2549.org
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6])
	by backend30.mail.ord1d.rsapps.net with LMTP id 2FgZKZE6pVxPCQAAIUCqbw
	for <patchwork@openvpn.net>; Wed, 03 Apr 2019 18:58:25 -0400
Received: from proxy1.mail.iad3b.rsapps.net ([172.31.255.6])
	by director9.mail.ord1d.rsapps.net with LMTP id OOURJpE6pVwUCgAAalYnBA
	; Wed, 03 Apr 2019 18:58:25 -0400
Received: from smtp29.gate.iad3b ([172.31.255.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy1.mail.iad3b.rsapps.net with LMTP id cNP3HpE6pVx0NwAALM5PBw
	; Wed, 03 Apr 2019 18:58:25 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp29.gate.iad3b.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=gmail.com;
 dmarc=fail (p=none; dis=none) header.from=gmail.com
X-Suspicious-Flag: YES
X-Classification-ID: fc453f3e-5663-11e9-bda3-525400534f55-1-1
Received: from [216.105.38.7] ([216.105.38.7:14082]
 helo=lists.sourceforge.net)
	by smtp29.gate.iad3b.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id D2/C0-26580-19A35AC5; Wed, 03 Apr 2019 18:58:25 -0400
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1hBoof-0006Mz-Mq; Wed, 03 Apr 2019 22:57:09 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <rosenp@gmail.com>) id 1hBooe-0006Mk-9t
 for openvpn-devel@lists.sourceforge.net; Wed, 03 Apr 2019 22:57:08 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:
 MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=41LuhPO9Tquoow333450xZmlI04bjXtC7KuziRLk5So=; b=c+/RzQMUsvq8taNurwHsMGRCFY
 rmxkTvUKqyTrFaw8UnXndB2LD3f0uOmecX9SvnjsWt/L9EiiybFVQ8q9bLNTbqPj3Ua0aXfAhCiOI
 qme9CgLh6D6UbQ3Bzi8ymchdWOf8RgG19ETtNQccxNqetsKSHHa2QclF3PNrqzkq/1iM=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version:
 Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
 Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=41LuhPO9Tquoow333450xZmlI04bjXtC7KuziRLk5So=; b=kDQu+r8qs0rrDK6jFRnxmBdMmA
 4scJJKG5fwNLvtShKN9xMK4fbkRcvmVJKDOYCPi60FG7bwGvNewx6MR+ls8eEDp+GBfgNfD/yZ60j
 T8xx1z8pHEVAb+R8DVgazzAwp8mCU4uI95t/NniwPrXDsUQSJO9eeX7d62oDYKBSz5GA=;
Received: from mail-pg1-f196.google.com ([209.85.215.196])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1)
 id 1hBooc-00DMuA-86
 for openvpn-devel@lists.sourceforge.net; Wed, 03 Apr 2019 22:57:08 +0000
Received: by mail-pg1-f196.google.com with SMTP id k19so218409pgh.0
 for <openvpn-devel@lists.sourceforge.net>;
 Wed, 03 Apr 2019 15:57:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id;
 bh=41LuhPO9Tquoow333450xZmlI04bjXtC7KuziRLk5So=;
 b=XS9iOWnxqlyRfQicRTO/upl+cnAtv9a3MxLWgg2IRzwdomELUPlmFwunuufoneW5Wb
 FUf3ewkCRinlEXESe3FSKDknWzO5P+Bj+yFW70e8AnW6+y/JERJVOaiZlu8I0NN4yR1S
 nS+oRtKxnj/X1WErvTW65SWwSb0c2oSG27rkmceFofdeTYc50cHyEaQpdogBX282F7kB
 Wh5ZUezFrT9vu7rWwQdGBWekOti++UCDcqQGMUIx3JpXg98iNu+wN4l6aFJ37U476jhG
 74rahYEJWBMGzgfKu9Gwdi9pXmLKJux4ZHIet7d49ee6bSUbMAWJ2/IYOjeq3nG5gpKF
 rJWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id;
 bh=41LuhPO9Tquoow333450xZmlI04bjXtC7KuziRLk5So=;
 b=EEPDIbTqfEF8QnTK7H6/3dNWp7Vc4zz4dxHq7JHO1a5pzOjI8iYnXkBGCAHMuR8+iK
 iE7M2VzHAbf55fvnT5z7ICfhXPB6V5ImIAc4mZY/jh+frZRMEMMIwyL2V0mQWV7xmh2d
 J1AzjHO9rw87FOsS3StrmWXwU2v00mJ39tFccCrQCa0YNmkMAKqKeUQQ2FCrC4rcYFeR
 QEbuoN3VExBggUaRD866eY0X06jjHxfBt+CimkaVxtH6PPa+X1reFFJ4tAlWAQW841bB
 Al1WAb1Ann72G0s8LnKpCT1VSw/Y1l5qq/uEII9jI//nGQ1xKsnKMSLsiriudAH+8SFA
 +qsA==
X-Gm-Message-State: APjAAAVazViYzQQNjVwDGyx3TYVgpbqUROEN30M66+QpvBgQJUL6vmna
 R+DbIgSnlE26Lk4It7D2ioI2q1z4XBY=
X-Google-Smtp-Source: 
 APXvYqyVWHTzd9m9732qYXRBpEf1ySAiNBmg37tUJcZ5P9DKH1542nkNnrFcAxU6iaAvEtbsIfgJSA==
X-Received: by 2002:a63:c242:: with SMTP id l2mr2329259pgg.138.1554332219481;
 Wed, 03 Apr 2019 15:56:59 -0700 (PDT)
Received: from mangix-pc.lan (astound-69-42-18-19.ca.astound.net.
 [69.42.18.19])
 by smtp.gmail.com with ESMTPSA id r76sm9099938pfa.39.2019.04.03.15.56.58
 for <openvpn-devel@lists.sourceforge.net>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 03 Apr 2019 15:56:58 -0700 (PDT)
From: Rosen Penev <rosenp@gmail.com>
To: openvpn-devel@lists.sourceforge.net
Date: Wed,  3 Apr 2019 15:56:57 -0700
Message-Id: <20190403225657.8003-1-rosenp@gmail.com>
X-Mailer: git-send-email 2.17.1
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
 (rosenp[at]gmail.com)
 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
 See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URIs: configure.ac]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/, no
 trust [209.85.215.196 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [209.85.215.196 listed in wl.mailspike.net]
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-Headers-End: 1hBooc-00DMuA-86
Subject: [Openvpn-devel] [PATCHv2] openssl: Fix compilation without
 deprecated OpenSSL 1.1 APIs
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were
replaced with _reset.

Also removed initialization with OpenSSL 1.1 as it is no longer needed and
causes compilation errors when disabling deprecated APIs.

Same with SSL_CTX_set_ecdh_auto as it got removed.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
 v2: Squashed previous patches together.
 configure.ac                 |  4 ++++
 src/openvpn/openssl_compat.h | 16 ++++++++++++++++
 src/openvpn/ssl_openssl.c    | 18 ++++++++++++------
 3 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/configure.ac b/configure.ac
index dfb268ca..891799ea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -918,10 +918,14 @@ if test "${with_crypto_library}" = "openssl"; then
 			EVP_MD_CTX_new \
 			EVP_MD_CTX_free \
 			EVP_MD_CTX_reset \
+			EVP_CIPHER_CTX_init \
+			EVP_CIPHER_CTX_cleanup \
 			OpenSSL_version \
 			SSL_CTX_get_default_passwd_cb \
 			SSL_CTX_get_default_passwd_cb_userdata \
 			SSL_CTX_set_security_level \
+			X509_get0_notBefore \
+			X509_get0_notAfter \
 			X509_get0_pubkey \
 			X509_STORE_get0_objects \
 			X509_OBJECT_free \
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index a4072b9a..2453b85e 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -89,6 +89,22 @@ EVP_MD_CTX_new(void)
 }
 #endif
 
+#if !defined(HAVE_EVP_CIPHER_CTX_INIT)
+#define EVP_CIPHER_CTX_init EVP_CIPHER_CTX_reset
+#endif
+
+#if !defined(HAVE_EVP_CIPHER_CTX_CLEANUP)
+#define EVP_CIPHER_CTX_cleanup EVP_CIPHER_CTX_reset
+#endif
+
+#if !defined(HAVE_X509_GET0_NOTBEFORE)
+#define X509_get0_notBefore X509_get_notBefore
+#endif
+
+#if !defined(HAVE_X509_GET0_NOTAFTER)
+#define X509_get0_notAfter X509_get_notAfter
+#endif
+
 #if !defined(HAVE_HMAC_CTX_RESET)
 /**
  * Reset a HMAC context
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8bcebac4..e41cafa5 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */
 void
 tls_init_lib(void)
 {
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
     SSL_library_init();
-#ifndef ENABLE_SMALL
+# ifndef ENABLE_SMALL
     SSL_load_error_strings();
-#endif
+# endif
     OpenSSL_add_all_algorithms();
-
+#endif
     mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL);
     ASSERT(mydata_index >= 0);
 }
@@ -89,9 +90,11 @@ tls_init_lib(void)
 void
 tls_free_lib(void)
 {
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
     EVP_cleanup();
-#ifndef ENABLE_SMALL
+# ifndef ENABLE_SMALL
     ERR_free_strings();
+# endif
 #endif
 }
 
@@ -541,7 +544,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
         goto cleanup; /* Nothing to check if there is no certificate */
     }
 
-    ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
+    ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
     if (ret == 0)
     {
         msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
@@ -551,7 +554,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
         msg(M_WARN, "WARNING: Your certificate is not yet valid!");
     }
 
-    ret = X509_cmp_time(X509_get_notAfter(cert), NULL);
+    ret = X509_cmp_time(X509_get0_notAfter(cert), NULL);
     if (ret == 0)
     {
         msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
@@ -634,10 +637,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
     else
     {
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
+
         /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
          * loading */
         SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
         return;
+#endif
 #else
         /* For older OpenSSL we have to extract the curve from key on our own */
         EC_KEY *eckey = NULL;