From patchwork Mon Apr 29 16:22:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3692 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a58b:b0:577:9287:30c5 with SMTP id hj11csp288007mab; Mon, 29 Apr 2024 09:23:23 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVe8cglpJ5lRCTQBpBfBPOy3Yi0iDGf6BOYew2HqQ3LAFcPHevfrsCbwOiJG+56Sze3ASw0Q8mhXUxwWZlfhEJtwJp4bPI= X-Google-Smtp-Source: AGHT+IF7ND5gV9yiorZ0dlc0RwkxQsAPKopaay1oRmDpHl+Lkx1pBPULnghiZYDXwqLkJyUtdqeg X-Received: by 2002:a05:6a20:12ce:b0:1ad:455e:4ae4 with SMTP id v14-20020a056a2012ce00b001ad455e4ae4mr12918035pzg.6.1714407803136; Mon, 29 Apr 2024 09:23:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714407803; cv=none; d=google.com; s=arc-20160816; b=z7/PGQUyGclMupDJaN1Muxuste1QnSiPDRLDMBs91p4AqIcTVe1t3WeR3hERk4AX01 9g179/OMO3gYU+ONuO5yfvMnuWnhfYzmzvHGeANlCEEgNfkyZ359/dUTCNd7DJYDF7TR fhF6iLPLcYZuu8vPBVOqao4Ct4tFKliJOSk/bTZbxtAXh6HxESHnvEDdTT2Y5mmGIyqn 84v3WO0ompx7RfBhCDKt+RIjQAY2x0/GAUTadfLgl/qUKP8wrX+WK4IREYHwkj6TcNqh +QGOPfb3I79LNO8DZXkISqtavW5ILoJ6qiZgUSaQqK65GVb2yvWjByCgHVd9f7lI+/5o xNog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=86pSBdJFf1XkLBC9EkK0QNkHee/5stVcyAtR/ahMvrE=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=i/vJT+1HTdU7Ct+M0rqMDzIA3ZrIIxOvwcls1s86d3ALxXyQIdfqrPTK/UVpZF5id0 dMRL4a7avcYu33XzVmcOtjq/R5ITFM7zGSnGvqsfJRXkaGaLSMApRV9rQNcMtbSJvRf7 wwI3PK6pgDay+YWj3My34+m+qFvAEjJU2ONeZvlVD2usvOBr56PlQzB9UTQbZV5eNjRc krNhUOVTWEXBS9/WK4LDWvJa+spWED0vUR2+thMTZEt+zdrRONrsX1q2xgFLoN+61/jK TisSGI7X8xwZ6caTb+Clti9ywv/661CjzI8SSkNhnvFXGaRVFJzeS4hhQFHtwtaQWjI6 kI8w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=co5KY+wC; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=he8a0XlK; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=EzfWCr0j; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d30-20020a63735e000000b0060ab18e7cfbsi7882261pgn.28.2024.04.29.09.23.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Apr 2024 09:23:23 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=co5KY+wC; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=he8a0XlK; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=EzfWCr0j; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1s1TmK-00065W-9m; Mon, 29 Apr 2024 16:22:57 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1s1TmH-000659-Qd for openvpn-devel@lists.sourceforge.net; Mon, 29 Apr 2024 16:22:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1YIuo7IgO+Mn/CtqPW4oBqTIpk6Uq7HC/986JpsusFI=; b=co5KY+wCcQ871oRvP5A2bIc2pL 6m53THN35TdcC3wzlPQnTHr1ZOS4mcpKC5TYm10urqVUCs8Zzl0C/DvVInw4kz9MHhHOByaoBhBg6 j9rUMC21Gu+ineVM5zLVsZxflZ6+OHtFYwI6w3wzAO5pIXVfjBrK5wXR/V1MnbaXD7u0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=1YIuo7IgO+Mn/CtqPW4oBqTIpk6Uq7HC/986JpsusFI=; b=h e8a0XlKlr/y3LkHC6AQ06s/GYxqKnQ0ACouRHQIlEA8Y5FzZjruvrP8118e2H1lNhzwwDtFNFVPrj +gqJMk92RFkSfdJP6RGWupBEW1yctls6KsXULIHkqHYuAXEuUHcC1Tu7uz5vR+9205xbh9u/C27QB FjznH1+oQoZp/xCA=; Received: from mail-wm1-f44.google.com ([209.85.128.44]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1s1TmE-0002j9-Mo for openvpn-devel@lists.sourceforge.net; Mon, 29 Apr 2024 16:22:54 +0000 Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-418e4cd2196so37769795e9.1 for ; Mon, 29 Apr 2024 09:22:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1714407757; x=1715012557; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=1YIuo7IgO+Mn/CtqPW4oBqTIpk6Uq7HC/986JpsusFI=; b=EzfWCr0jd3oxpTA80wYNtzUfC61bmBuYMNoHyqPTRshrKZh25CzKy7wX9FPuNto4yt dX3Yoaluk1vGRAdxn+zAKQKbwcOAeGCPbqmIoB8LsksWRMreor+se0kqet4sZKa4lT0G 87RQDeSOwYC8NOjuy23Oxocvyy4JylCn1IH4aNHdWbisJ23mdBnb3ea0DELx4Fc1l2JE bzn8lVUkAU0uqXd/UyYx6VZpy4OThXnvN6c/V7GAme3Urvq/imd6B6/BZQRdgd3wWnjx xlj0u86qS0BfYVJxCVfj9LhDMxGagRQ6gQySo6ikPo4XT8RvHwNfIbxrs2cPFAiK44Fd TCbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714407757; x=1715012557; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1YIuo7IgO+Mn/CtqPW4oBqTIpk6Uq7HC/986JpsusFI=; b=pOz/wgMSuz5zAm+MYhm/oLKrXAGwm4mVtOdog6HCSFgPkS9FkxibDntdRLcb4WaG0u TDu4avs13KJO42/iGHPPIvEzCGV41ihe8+TH7SyeraH4s1A/0mEzgLId8HyXquTCZ+gQ j4mJNXlYIO4MOXZ7ULejgPSEun36FnOOf/cYvD5jp4Pg6WueJt9qtNBZ617vAg13tzDj AVZX0iNyPi1ZVe64EDkN5lAv1SuNl7bqDS4k8IFgRrq3DwHpj7BxU/YLiZ2uXrale7Cm 55+Hdx1k2/MnEBgCmqhN5u8ZH0iwRAVBurMCeXp8rGZRl88Uy1MsBL5fRYPKRCTGz/di Dm7A== X-Gm-Message-State: AOJu0Yz/0O8kRKHROdszAD4Qn1TtXRm6ely0I0SICHjU/IPu4ISdRvV5 7irEO+4QfBZ81YkF7bZcIGipDYA4AtefZx27A4PmQOYCdkIAiXUx+8Wnzv2mk7dAVvY0JNUlDFb a X-Received: by 2002:a05:600c:198f:b0:41b:fc3a:f1ef with SMTP id t15-20020a05600c198f00b0041bfc3af1efmr202884wmq.33.1714407756925; Mon, 29 Apr 2024 09:22:36 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id p6-20020a05600c468600b0041563096e15sm46299760wmo.5.2024.04.29.09.22.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Apr 2024 09:22:36 -0700 (PDT) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 29 Apr 2024 16:22:35 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I90875311a4e4c403e77e30b609c1878cbaaaad45 X-Gerrit-Change-Number: 559 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: bb1fd12731ea2a09adb55e9aef251fab504c21ac References: Message-ID: <5a52619e114652a33de461bbc01acf7aae94d434-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.44 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.44 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1s1TmE-0002j9-Mo Subject: [Openvpn-devel] [L] Change in openvpn[master]: Remove OpenSSL 1.0.2 support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1797686876493107408?= X-GMAIL-MSGID: =?utf-8?q?1797686876493107408?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/559?usp=email to review the following change. Change subject: Remove OpenSSL 1.0.2 support ...................................................................... Remove OpenSSL 1.0.2 support With Centos 7/Red Hat Enterprise Linux 7 being EOL this June, the last distributions that still support OpenSSL 1.0.2 are finally EOL. This means we no longer need to support OpenSSL 1.0.2 Change-Id: I90875311a4e4c403e77e30b609c1878cbaaaad45 Signed-off-by: Arne Schwabe --- M configure.ac M src/openvpn/crypto_openssl.c M src/openvpn/openssl_compat.h M src/openvpn/ssl_openssl.c 4 files changed, 15 insertions(+), 686 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/59/559/1 diff --git a/configure.ac b/configure.ac index ce8b2b0..51f00a4 100644 --- a/configure.ac +++ b/configure.ac @@ -911,7 +911,7 @@ ]], [[ /* Version encoding: MNNFFPPS - see opensslv.h for details */ -#if OPENSSL_VERSION_NUMBER < 0x10002000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L #error OpenSSL too old #endif ]] diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index b2c4eb6..64ad346 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -49,7 +49,7 @@ #include #include -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) +#if !defined(LIBRESSL_VERSION_NUMBER) #include #endif #if OPENSSL_VERSION_NUMBER >= 0x30000000L @@ -193,11 +193,7 @@ void crypto_init_lib(void) { -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); -#else - OPENSSL_config(NULL); -#endif /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL @@ -1376,7 +1372,7 @@ return ret; } -#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) +#elif !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) @@ -1422,7 +1418,7 @@ EVP_PKEY_CTX_free(pctx); return ret; } -#else /* if OPENSSL_VERSION_NUMBER >= 0x10100000L */ +#else /* if defined(LIBRESSL_VERSION_NUMBER) */ /* * Generate the hash required by for the \c tls1_PRF function. * @@ -1601,5 +1597,5 @@ gc_free(&gc); return ret; } -#endif /* if OPENSSL_VERSION_NUMBER >= 0x10100000L */ +#endif /* if LIBRESSL_VERSION_NUMBER */ #endif /* ENABLE_CRYPTO_OPENSSL */ diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c9fa719..95417b2 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -50,8 +50,8 @@ #define SSL_CTX_set1_groups SSL_CTX_set1_curves #endif -/* Functionality missing in LibreSSL before 3.5 and OpenSSL 1.0.2 */ -#if (OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL)) && !defined(ENABLE_CRYPTO_WOLFSSL) +/* Functionality missing in LibreSSL before 3.5 */ +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL /** * Destroy a X509 object * @@ -71,659 +71,14 @@ #define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG #endif -#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && !defined(ENABLE_CRYPTO_WOLFSSL) +#if defined(LIBRESSL_VERSION_NUMBER) #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT #endif -#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL) +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL #define SSL_get_peer_tmp_key SSL_get_server_tmp_key #endif -/* Functionality missing in 1.0.2 */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL) -/** - * Reset a message digest context - * - * @param ctx The message digest context - * @return 1 on success, 0 on error - */ -static inline int -EVP_MD_CTX_reset(EVP_MD_CTX *ctx) -{ - EVP_MD_CTX_cleanup(ctx); - return 1; -} - -/** - * Free an existing message digest context - * - * @param ctx The message digest context - */ -static inline void -EVP_MD_CTX_free(EVP_MD_CTX *ctx) -{ - free(ctx); -} - -/** - * Allocate a new message digest object - * - * @return A zero'ed message digest object - */ -static inline EVP_MD_CTX * -EVP_MD_CTX_new(void) -{ - EVP_MD_CTX *ctx = NULL; - ALLOC_OBJ_CLEAR(ctx, EVP_MD_CTX); - return ctx; -} - -#define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_init -#define X509_get0_notBefore X509_get_notBefore -#define X509_get0_notAfter X509_get_notAfter - -/** - * Reset a HMAC context - * - * OpenSSL 1.1+ removes APIs HMAC_CTX_init() and HMAC_CTX_cleanup() - * and replace them with a single call that does a cleanup followed - * by an init. A proper _reset() for OpenSSL < 1.1 should perform - * a similar set of operations. - * - * It means that before we kill a HMAC context, we'll have to cleanup - * again, as we probably have allocated a few resources when we forced - * an init. - * - * @param ctx The HMAC context - * @return 1 on success, 0 on error - */ -static inline int -HMAC_CTX_reset(HMAC_CTX *ctx) -{ - HMAC_CTX_cleanup(ctx); - HMAC_CTX_init(ctx); - return 1; -} - -/** - * Cleanup and free an existing HMAC context - * - * @param ctx The HMAC context - */ -static inline void -HMAC_CTX_free(HMAC_CTX *ctx) -{ - HMAC_CTX_cleanup(ctx); - free(ctx); -} - -/** - * Allocate a new HMAC context object - * - * @return A zero'ed HMAC context object - */ -static inline HMAC_CTX * -HMAC_CTX_new(void) -{ - HMAC_CTX *ctx = NULL; - ALLOC_OBJ_CLEAR(ctx, HMAC_CTX); - return ctx; -} - -/** - * Fetch the default password callback user data from the SSL context - * - * @param ctx SSL context - * @return The password callback user data - */ -static inline void * -SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) -{ - return ctx ? ctx->default_passwd_callback_userdata : NULL; -} - -/** - * Fetch the default password callback from the SSL context - * - * @param ctx SSL context - * @return The password callback - */ -static inline pem_password_cb * -SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) -{ - return ctx ? ctx->default_passwd_callback : NULL; -} - -/** - * Get the public key from a X509 certificate - * - * @param x X509 certificate - * @return The certificate public key - */ -static inline EVP_PKEY * -X509_get0_pubkey(const X509 *x) -{ - return (x && x->cert_info && x->cert_info->key) ? - x->cert_info->key->pkey : NULL; -} - -/** - * Fetch the X509 object stack from the X509 store - * - * @param store X509 object store - * @return the X509 object stack - */ -static inline STACK_OF(X509_OBJECT) -*X509_STORE_get0_objects(X509_STORE *store) -{ - return store ? store->objs : NULL; -} - -/** - * Get the type of an X509 object - * - * @param obj X509 object - * @return The underlying object type - */ -static inline int -X509_OBJECT_get_type(const X509_OBJECT *obj) -{ - return obj ? obj->type : X509_LU_FAIL; -} - -/** - * Get the RSA object of a public key - * - * @param pkey Public key object - * @return The underlying RSA object - */ -static inline RSA * -EVP_PKEY_get0_RSA(EVP_PKEY *pkey) -{ - return (pkey && pkey->type == EVP_PKEY_RSA) ? pkey->pkey.rsa : NULL; -} - -/** - * Get the EC_KEY object of a public key - * - * @param pkey Public key object - * @return The underlying EC_KEY object - */ -static inline EC_KEY * -EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) -{ - return (pkey && pkey->type == EVP_PKEY_EC) ? pkey->pkey.ec : NULL; -} - - -/** - * Get the DSA object of a public key - * - * @param pkey Public key object - * @return The underlying DSA object - */ -static inline DSA * -EVP_PKEY_get0_DSA(EVP_PKEY *pkey) -{ - return (pkey && pkey->type == EVP_PKEY_DSA) ? pkey->pkey.dsa : NULL; -} - -/** - * Set the RSA flags - * - * @param rsa The RSA object - * @param flags New flags value - */ -static inline void -RSA_set_flags(RSA *rsa, int flags) -{ - if (rsa) - { - rsa->flags = flags; - } -} - -/** - * Get the RSA parameters - * - * @param rsa The RSA object - * @param n The @c n parameter - * @param e The @c e parameter - * @param d The @c d parameter - */ -static inline void -RSA_get0_key(const RSA *rsa, const BIGNUM **n, - const BIGNUM **e, const BIGNUM **d) -{ - if (n != NULL) - { - *n = rsa ? rsa->n : NULL; - } - if (e != NULL) - { - *e = rsa ? rsa->e : NULL; - } - if (d != NULL) - { - *d = rsa ? rsa->d : NULL; - } -} - -/** - * Set the RSA parameters - * - * @param rsa The RSA object - * @param n The @c n parameter - * @param e The @c e parameter - * @param d The @c d parameter - * @return 1 on success, 0 on error - */ -static inline int -RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) -{ - if ((rsa->n == NULL && n == NULL) - || (rsa->e == NULL && e == NULL)) - { - return 0; - } - - if (n != NULL) - { - BN_free(rsa->n); - rsa->n = n; - } - if (e != NULL) - { - BN_free(rsa->e); - rsa->e = e; - } - if (d != NULL) - { - BN_free(rsa->d); - rsa->d = d; - } - - return 1; -} - -/** - * Number of significant RSA bits - * - * @param rsa The RSA object ; shall not be NULL - * @return The number of RSA bits or 0 on error - */ -static inline int -RSA_bits(const RSA *rsa) -{ - const BIGNUM *n = NULL; - RSA_get0_key(rsa, &n, NULL, NULL); - return n ? BN_num_bits(n) : 0; -} - -/** - * Get the DSA parameters - * - * @param dsa The DSA object - * @param p The @c p parameter - * @param q The @c q parameter - * @param g The @c g parameter - */ -static inline void -DSA_get0_pqg(const DSA *dsa, const BIGNUM **p, - const BIGNUM **q, const BIGNUM **g) -{ - if (p != NULL) - { - *p = dsa ? dsa->p : NULL; - } - if (q != NULL) - { - *q = dsa ? dsa->q : NULL; - } - if (g != NULL) - { - *g = dsa ? dsa->g : NULL; - } -} - -/** - * Number of significant DSA bits - * - * @param rsa The DSA object ; shall not be NULL - * @return The number of DSA bits or 0 on error - */ -static inline int -DSA_bits(const DSA *dsa) -{ - const BIGNUM *p = NULL; - DSA_get0_pqg(dsa, &p, NULL, NULL); - return p ? BN_num_bits(p) : 0; -} - -/** - * Allocate a new RSA method object - * - * @param name The object name - * @param flags Configuration flags - * @return A new RSA method object - */ -static inline RSA_METHOD * -RSA_meth_new(const char *name, int flags) -{ - RSA_METHOD *rsa_meth = NULL; - ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD); - rsa_meth->name = string_alloc(name, NULL); - rsa_meth->flags = flags; - return rsa_meth; -} - -/** - * Free an existing RSA_METHOD object - * - * @param meth The RSA_METHOD object - */ -static inline void -RSA_meth_free(RSA_METHOD *meth) -{ - if (meth) - { - /* OpenSSL defines meth->name to be a const pointer, yet we - * feed it with an allocated string (from RSA_meth_new()). - * Thus we are allowed to free it here. In order to avoid a - * "passing 'const char *' to parameter of type 'void *' discards - * qualifiers" warning, we force the pointer to be a non-const value. - */ - free((char *)meth->name); - free(meth); - } -} - -/** - * Set the public encoding function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param pub_enc the public encoding function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_pub_enc(RSA_METHOD *meth, - int (*pub_enc)(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) -{ - if (meth) - { - meth->rsa_pub_enc = pub_enc; - return 1; - } - return 0; -} - -/** - * Set the public decoding function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param pub_dec the public decoding function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_pub_dec(RSA_METHOD *meth, - int (*pub_dec)(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) -{ - if (meth) - { - meth->rsa_pub_dec = pub_dec; - return 1; - } - return 0; -} - -/** - * Set the private encoding function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param priv_enc the private encoding function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_priv_enc(RSA_METHOD *meth, - int (*priv_enc)(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) -{ - if (meth) - { - meth->rsa_priv_enc = priv_enc; - return 1; - } - return 0; -} - -/** - * Set the private decoding function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param priv_dec the private decoding function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_priv_dec(RSA_METHOD *meth, - int (*priv_dec)(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) -{ - if (meth) - { - meth->rsa_priv_dec = priv_dec; - return 1; - } - return 0; -} - -/** - * Set the init function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param init the init function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa)) -{ - if (meth) - { - meth->init = init; - return 1; - } - return 0; -} - -/** - * Set the sign function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param sign The sign function - * @return 1 on success, 0 on error - */ -static inline -int -RSA_meth_set_sign(RSA_METHOD *meth, - int (*sign)(int type, const unsigned char *m, - unsigned int m_length, - unsigned char *sigret, unsigned int *siglen, - const RSA *rsa)) -{ - meth->rsa_sign = sign; - return 1; -} - -/** - * Set the finish function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param finish the finish function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) -{ - if (meth) - { - meth->finish = finish; - return 1; - } - return 0; -} - -/** - * Set the application data of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param app_data Application data - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data) -{ - if (meth) - { - meth->app_data = app_data; - return 1; - } - return 0; -} - -/** - * Get the application data of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @return pointer to application data, may be NULL - */ -static inline void * -RSA_meth_get0_app_data(const RSA_METHOD *meth) -{ - return meth ? meth->app_data : NULL; -} - -/** - * Gets the number of bits of the order of an EC_GROUP - * - * @param group EC_GROUP object - * @return number of bits of group order. - */ -static inline int -EC_GROUP_order_bits(const EC_GROUP *group) -{ - BIGNUM *order = BN_new(); - EC_GROUP_get_order(group, order, NULL); - int bits = BN_num_bits(order); - BN_free(order); - return bits; -} - -/* SSLeay symbols have been renamed in OpenSSL 1.1 */ -#define OPENSSL_VERSION SSLEAY_VERSION -#define OpenSSL_version SSLeay_version - -/** Return the min SSL protocol version currently enabled in the context. - * If no valid version >= TLS1.0 is found, return 0. */ -static inline int -SSL_CTX_get_min_proto_version(SSL_CTX *ctx) -{ - long sslopt = SSL_CTX_get_options(ctx); - if (!(sslopt & SSL_OP_NO_TLSv1)) - { - return TLS1_VERSION; - } - if (!(sslopt & SSL_OP_NO_TLSv1_1)) - { - return TLS1_1_VERSION; - } - if (!(sslopt & SSL_OP_NO_TLSv1_2)) - { - return TLS1_2_VERSION; - } - return 0; -} - -/** Return the max SSL protocol version currently enabled in the context. - * If no valid version >= TLS1.0 is found, return 0. */ -static inline int -SSL_CTX_get_max_proto_version(SSL_CTX *ctx) -{ - long sslopt = SSL_CTX_get_options(ctx); - if (!(sslopt & SSL_OP_NO_TLSv1_2)) - { - return TLS1_2_VERSION; - } - if (!(sslopt & SSL_OP_NO_TLSv1_1)) - { - return TLS1_1_VERSION; - } - if (!(sslopt & SSL_OP_NO_TLSv1)) - { - return TLS1_VERSION; - } - return 0; -} - -/** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */ -static inline int -SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min) -{ - long sslopt = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; /* Never do < TLS 1.0 */ - - if (tls_ver_min > TLS1_VERSION) - { - sslopt |= SSL_OP_NO_TLSv1; - } -#ifdef SSL_OP_NO_TLSv1_1 - if (tls_ver_min > TLS1_1_VERSION) - { - sslopt |= SSL_OP_NO_TLSv1_1; - } -#endif -#ifdef SSL_OP_NO_TLSv1_2 - if (tls_ver_min > TLS1_2_VERSION) - { - sslopt |= SSL_OP_NO_TLSv1_2; - } -#endif - SSL_CTX_set_options(ctx, sslopt); - - return 1; -} - -/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */ -static inline int -SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) -{ - long sslopt = 0; - - if (tls_ver_max < TLS1_VERSION) - { - sslopt |= SSL_OP_NO_TLSv1; - } -#ifdef SSL_OP_NO_TLSv1_1 - if (tls_ver_max < TLS1_1_VERSION) - { - sslopt |= SSL_OP_NO_TLSv1_1; - } -#endif -#ifdef SSL_OP_NO_TLSv1_2 - if (tls_ver_max < TLS1_2_VERSION) - { - sslopt |= SSL_OP_NO_TLSv1_2; - } -#endif - SSL_CTX_set_options(ctx, sslopt); - - return 1; -} -#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL) */ - /* Functionality missing in 1.1.1 */ #if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_NO_EC) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a158617..e13fe11 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -84,13 +84,6 @@ void tls_init_lib(void) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L - SSL_library_init(); -#ifndef ENABLE_SMALL - SSL_load_error_strings(); -#endif - OpenSSL_add_all_algorithms(); -#endif mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); ASSERT(mydata_index >= 0); } @@ -98,12 +91,6 @@ void tls_free_lib(void) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L - EVP_cleanup(); -#ifndef ENABLE_SMALL - ERR_free_strings(); -#endif -#endif } void @@ -744,15 +731,6 @@ } else { -#if OPENSSL_VERSION_NUMBER < 0x10100000L - - /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter - * loading */ - SSL_CTX_set_ecdh_auto(ctx->ctx, 1); - - /* OpenSSL 1.1.0 and newer have always ecdh auto loading enabled, - * so do nothing */ -#endif return; } @@ -1348,7 +1326,7 @@ return 0; } -#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) +#if !defined(OPENSSL_NO_EC) /* called when EC_KEY is destroyed */ static void @@ -1469,7 +1447,7 @@ EC_KEY_free(ec); return 0; } -#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ +#endif /* !defined(OPENSSL_NO_EC) */ #endif /* ENABLE_MANAGEMENT && !HAVE_XKEY_PROVIDER */ #ifdef ENABLE_MANAGEMENT @@ -1509,7 +1487,7 @@ goto cleanup; } } -#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) +#if !defined(OPENSSL_NO_EC) #if OPENSSL_VERSION_NUMBER < 0x30000000L else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ @@ -1526,13 +1504,13 @@ crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate"); goto cleanup; } -#else /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ +#else /* !defined(OPENSSL_NO_EC) */ else { crypto_msg(M_WARN, "management-external-key requires an RSA certificate"); goto cleanup; } -#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ +#endif /* !defined(OPENSSL_NO_EC) */ #endif /* HAVE_XKEY_PROVIDER */ @@ -2166,7 +2144,7 @@ EVP_PKEY_free(pkey); } -#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x1010000fL) \ +#if !defined(LIBRESSL_VERSION_NUMBER) \ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL) /** * Translate an OpenSSL NID into a more human readable name