From patchwork Fri Jul 12 09:56:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rosen Penev X-Patchwork-Id: 778 X-Patchwork-Delegate: arne-openvpn@rfc2549.org Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 2HSHCDfmKF0ySAAAIUCqbw for ; Fri, 12 Jul 2019 15:57:43 -0400 Received: from proxy17.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id cGRVCDfmKF05SgAAfY0hYg ; Fri, 12 Jul 2019 15:57:43 -0400 Received: from smtp5.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.ord1d.rsapps.net with LMTP id mG/cBzfmKF1eRQAAWC7mWg ; Fri, 12 Jul 2019 15:57:43 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp5.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 4ede4410-a4df-11e9-be2b-525400d73c44-1-1 Received: from [216.105.38.7] ([216.105.38.7:40988] helo=lists.sourceforge.net) by smtp5.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 33/F9-30897-636E82D5; Fri, 12 Jul 2019 15:57:42 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hm1es-0004Ck-Ll; Fri, 12 Jul 2019 19:56:42 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hm1er-0004CW-DJ for openvpn-devel@lists.sourceforge.net; Fri, 12 Jul 2019 19:56:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=e4XRL7K/Fcg17vDj9IvxzrrSYB08uDUsTnc0z5fDltE=; b=CovTR4E922rDIvRjpB6MDJHXph AvtpZPQOGhFUBo8w4F7gmMfKuVcPA4dQ3kVleimfkV9z4oXddy7MVcIghDRhMmfh0+d7iuyqp8+Pr KKMxYf6qN/OC8n5doPX7tv9SOoj+5WTHGLoZqOHFMOkORxdVVJp6mZVs/sek/odssZjk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=e4XRL7K/Fcg17vDj9IvxzrrSYB08uDUsTnc0z5fDltE=; b=ey88280tXcOTe7xkshbsKE/mh4 01AND88d1u88NrRB9a9FczbSt36BCNHCOpMbmP50Hbv/YmED+up5aOXS60EHJWjfCFlTQXn2IsTPU 6v9HaeA2aQ9ba+Qh2qQQWrivFZ517cSEhRjDWYEalptd09OcdmoKxuUe+1UejuAoBrZw=; Received: from mail-pl1-f194.google.com ([209.85.214.194]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1hm1el-00HFjc-Q6 for openvpn-devel@lists.sourceforge.net; Fri, 12 Jul 2019 19:56:41 +0000 Received: by mail-pl1-f194.google.com with SMTP id az7so5252745plb.5 for ; Fri, 12 Jul 2019 12:56:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=e4XRL7K/Fcg17vDj9IvxzrrSYB08uDUsTnc0z5fDltE=; b=i+dXccbALRdcMkLoteewFxo76egF4TClDuqlJHlpkElODXYnP1obHZ85f4tT6ae27m e3GXUOm2UrPm+z4W5tjPhTmFCf4rFy25BsfjSqUS+sPRyIicmC2FcoNKy9Y7ymAXfYpZ sT/Qdg9rwvSoYpj25Y1kX3Yy3fiF3vkkC0JJmS8r6/ANlgOfQIPo3DIaSBS8vcAgW8XR TroY7n+wKgshnjtFzgS5ONdaa/a6GKzbYf4LNAEd2j9RsMibeHRc/N3aPHEFD0mm5rFH VrPwhAYy5dfx38/nD5Vz84djVEOv5Z6JMRxY4L7hI983FYMPnX6LcUjY6n7e1E60OG3m MtKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=e4XRL7K/Fcg17vDj9IvxzrrSYB08uDUsTnc0z5fDltE=; b=XqokDojvoqrUfi6YcDxFbOlRSlu1+FjB03j06l+p/MHKq80E6Qdz3WsN0cjssIB6Jw 856DRxT+X09N9ue9RGKSB1v+OWabNx9FN/+2ezZHB1fz6nbxjb+Xa/Ov07hiuMb2SBML Jot9UrVuLSFFs+QC9XWAohDiVocEuDpciN9DPJfAo/7ETcHNVrtEBUm/eVeWdhbYEQ6f mvsliQ98T0hUeP7UUmeTMDMjeguYDKeKyc/TNYpLTNJaEarvnDqYefsfkrSpNBVOqtDp uF3mTWpakHNgeblrv/ymVQaEZJshZj59zZqhBer46uNLCOuiOS9f/JILqCrKdVD1l5A9 29vQ== X-Gm-Message-State: APjAAAWh1pXZA2+UWe/brZ0iA35TsB6dmFwIoyFD2uF4VJDRYOhWIUHZ OVr+2dVfgxxGquBebgnlntrHLBmf7hE= X-Google-Smtp-Source: APXvYqy1RFWVYNre/FTReYi5BJJhy7QVRMFJV1Y037CPf1m3NZbs6magM/ytKqSSmkOEnA7xBlUDLw== X-Received: by 2002:a17:902:9a49:: with SMTP id x9mr13841291plv.282.1562961389583; Fri, 12 Jul 2019 12:56:29 -0700 (PDT) Received: from localhost.localdomain (76-14-106-55.rk.wavecable.com. [76.14.106.55]) by smtp.gmail.com with ESMTPSA id i137sm2270405pgc.4.2019.07.12.12.56.28 for (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 12 Jul 2019 12:56:29 -0700 (PDT) From: Rosen Penev To: openvpn-devel@lists.sourceforge.net Date: Fri, 12 Jul 2019 12:56:27 -0700 Message-Id: <20190712195627.5937-1-rosenp@gmail.com> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (rosenp[at]gmail.com) 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: configure.ac] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.214.194 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.214.194 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.3 PDS_NO_HELO_DNS High profile HELO but no A record X-Headers-End: 1hm1el-00HFjc-Q6 Subject: [Openvpn-devel] [PATCHv3] openssl: Fix compilation without deprecated OpenSSL 1.1 APIs X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were replaced with _reset. Also removed initialization with OpenSSL 1.1 as it is no longer needed and causes compilation errors when disabling deprecated APIs. Signed-off-by: Rosen Penev --- v2: Squashed previous patches together. v3: Check for _reset function only. configure.ac | 3 +++ src/openvpn/crypto_openssl.c | 8 ++++++++ src/openvpn/openssl_compat.h | 8 ++++++++ src/openvpn/ssl_openssl.c | 11 ++++++++--- 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index e9f8a2f9..c7fd7a84 100644 --- a/configure.ac +++ b/configure.ac @@ -919,10 +919,13 @@ if test "${with_crypto_library}" = "openssl"; then EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ + EVP_CIPHER_CTX_reset \ OpenSSL_version \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ SSL_CTX_set_security_level \ + X509_get0_notBefore \ + X509_get0_notAfter \ X509_get0_pubkey \ X509_STORE_get0_objects \ X509_OBJECT_free \ diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index c049e52d..d8aa4835 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -772,7 +772,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); +#if defined(HAVE_EVP_CIPHER_CTX_RESET) + EVP_CIPHER_CTX_reset(ctx); +#else EVP_CIPHER_CTX_init(ctx); +#endif if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #1"); @@ -795,7 +799,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, void cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx) { +#if defined(HAVE_EVP_CIPHER_CTX_RESET) + EVP_CIPHER_CTX_reset(ctx); +#else EVP_CIPHER_CTX_cleanup(ctx); +#endif } int diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index a4072b9a..788843a2 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -89,6 +89,14 @@ EVP_MD_CTX_new(void) } #endif +#if !defined(HAVE_X509_GET0_NOTBEFORE) +#define X509_get0_notBefore X509_get_notBefore +#endif + +#if !defined(HAVE_X509_GET0_NOTAFTER) +#define X509_get0_notAfter X509_get_notAfter +#endif + #if !defined(HAVE_HMAC_CTX_RESET) /** * Reset a HMAC context diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 8bcebac4..e285bc56 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */ void tls_init_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) SSL_library_init(); #ifndef ENABLE_SMALL SSL_load_error_strings(); #endif OpenSSL_add_all_algorithms(); - +#endif mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); ASSERT(mydata_index >= 0); } @@ -89,10 +90,12 @@ tls_init_lib(void) void tls_free_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) EVP_cleanup(); #ifndef ENABLE_SMALL ERR_free_strings(); #endif +#endif } void @@ -541,7 +544,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) goto cleanup; /* Nothing to check if there is no certificate */ } - ret = X509_cmp_time(X509_get_notBefore(cert), NULL); + ret = X509_cmp_time(X509_get0_notBefore(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); @@ -551,7 +554,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) msg(M_WARN, "WARNING: Your certificate is not yet valid!"); } - ret = X509_cmp_time(X509_get_notAfter(cert), NULL); + ret = X509_cmp_time(X509_get0_notAfter(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); @@ -634,10 +637,12 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name else { #if OPENSSL_VERSION_NUMBER >= 0x10002000L +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter * loading */ SSL_CTX_set_ecdh_auto(ctx->ctx, 1); return; +#endif #else /* For older OpenSSL we have to extract the curve from key on our own */ EC_KEY *eckey = NULL;