| Message ID | 20210415114541.1001644-1-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Openvpn-devel] Remove LibreSSL specific defines not needed for modern LibreSSL | expand |
Hi, On 15/04/2021 13:45, Arne Schwabe wrote: > Most of the functions remove were either already have a version check > against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well > according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto > and SSL_library_init. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> This patch is changing the LibreSSL ifdef logic only, therefore no functional change is expected for OpenSSL (the only SSL library sharing code with this patch). I compile tested with: * LibreSSL 2.9.3, 3.2.5 and 3.3.0 * OpenSSL 1.0.2, 1.1.0 and 1.1.1 Basic connection test (client connects to server and pings) was performed with: * LibreSSL 2.9.3 * OpenSSL 1.0.2 Acked-by: Antonio Quartulli <antonio@openvpn.net> Regards,
Getting rid of #ifdef is always good :-) - tested on OpenBSD 6.8 ("just
to be sure"), works.
On OpenBSD 6.5, it fails at link time (LibreSSL 2.9.1, RSA_meth_set_pub_enc
and other RSA_meth* functions missing). So, no more support for that
(already end-of-life) OpenBSD version.
FreeBSD ports now has LibreSSL 3.2.5, so I assume it is not going to
break anything there (though I have not bothered to test).
Your patch has been applied to the master branch.
commit 2c0ebe0f12c3d7598dd2f604a5a412b68b728ba9
Author: Arne Schwabe
Date: Thu Apr 15 13:45:41 2021 +0200
Remove LibreSSL specific defines not needed for modern LibreSSL
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210415114541.1001644-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22119.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index cb8ac7727..73b51276c 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -76,7 +76,7 @@ int mydata_index; /* GLOBAL */ void tls_init_lib(void) { -#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); #ifndef ENABLE_SMALL SSL_load_error_strings(); @@ -90,7 +90,7 @@ tls_init_lib(void) void tls_free_lib(void) { -#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_cleanup(); #ifndef ENABLE_SMALL ERR_free_strings(); @@ -705,7 +705,7 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name } else { -#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) +#if OPENSSL_VERSION_NUMBER < 0x10100000L /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter * loading */ @@ -1310,9 +1310,7 @@ err: return 0; } -#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \ - || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \ - && !defined(OPENSSL_NO_EC) +#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) /* called when EC_KEY is destroyed */ static void @@ -1457,9 +1455,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) goto cleanup; } } -#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \ - || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \ - && !defined(OPENSSL_NO_EC) +#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { if (!tls_ctx_use_external_ec_key(ctx, pkey)) @@ -2147,8 +2143,7 @@ show_available_tls_ciphers_list(const char *cipher_list, crypto_msg(M_FATAL, "Cannot create SSL object"); } -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) \ - || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2090000fL) +#if OPENSSL_VERSION_NUMBER < 0x1010000fL STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); #else STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
Most of the functions remove were either already have a version check against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto and SSL_library_init. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl_openssl.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-)