done
- { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL version >= 1.1.1" >&5
-printf %s "checking for OpenSSL version >= 1.1.1... " >&6; }
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL version >= 3.0.0" >&5
+printf %s "checking for OpenSSL version >= 3.0.0... " >&6; }
ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/crypto.h>
- #if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+ #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
yes
#endif
e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
- #include <stdlib.h>
+ #include <stdlib.h>
#include <regex.h>
int
]
)
- AC_MSG_CHECKING([for OpenSSL version >= 1.1.1])
+ AC_MSG_CHECKING([for OpenSSL version >= 3.0.0])
AC_EGREP_CPP(yes,
[#include <openssl/crypto.h>
- #if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+ #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
yes
#endif
],
return 0;
}
-#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
-# include <openssl/provider.h>
+#include <openssl/provider.h>
static OSSL_PROVIDER *openssl_default_provider = NULL;
static OSSL_PROVIDER *openssl_legacy_provider = NULL;
}
openssl_legacy_provider = NULL;
}
-#else
-#define openssl3_init()
-#define openssl3_free()
-#endif
static int _loop_status(UNUSED fr_time_t now, fr_time_delta_t wake, UNUSED void *ctx)
{
return 0;
}
-#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
-# include <openssl/provider.h>
+#include <openssl/provider.h>
static OSSL_PROVIDER *openssl_default_provider = NULL;
static OSSL_PROVIDER *openssl_legacy_provider = NULL;
}
openssl_legacy_provider = NULL;
}
-#else
-#define openssl3_init()
-#define openssl3_free()
-#endif
static int mschapv1_encode(fr_packet_t *packet, fr_pair_list_t *list,
char const *password)
}
int eap_crypto_tls_session_id(TALLOC_CTX *ctx,
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
- UNUSED
-#endif
request_t *request, SSL *ssl, eap_tls_prf_label_t *prf_label,
uint8_t **out, uint8_t eap_type)
{
SSL_get_client_random(ssl, p, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
SSL_get_server_random(ssl, p, SSL3_RANDOM_SIZE);
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
break;
/*
}
}
break;
-#endif
}
*out = buff;
CONF_PAIR *cp;
if (DEBUG_ENABLED3) {
-#if defined(WITH_TLS) && (OPENSSL_VERSION_NUMBER < 0x30000000L)
- ENGINE *engine;
- char const *engine_id;
-#endif
int max = 0, len;
MEM(features = cf_section_alloc(NULL, NULL, "feature", NULL));
if (max < len) max = len;
}
-#if defined(WITH_TLS) && (OPENSSL_VERSION_NUMBER < 0x30000000L)
- for (engine = ENGINE_get_first();
- engine;
- engine = ENGINE_get_next(engine)) {
- len = strlen(ENGINE_get_id(engine) + 1);
- if (max < len) max = len;
- }
-#endif
-
for (ci = cf_item_next(features, NULL);
ci;
ci = cf_item_next(features, ci)) {
talloc_free(features);
talloc_free(versions);
-#if defined(WITH_TLS) && (OPENSSL_VERSION_NUMBER < 0x30000000L)
- DEBUG3("OpenSSL engines:");
- for (engine = ENGINE_get_first();
- engine;
- engine = ENGINE_get_next(engine)) {
- engine_id = ENGINE_get_id(engine);
-
- DEBUG3(" %s%.*s : %s", engine_id, (int)(max - (strlen(engine_id) + 1)), spaces,
- ENGINE_get_name(engine));
- }
-#endif
-
DEBUG2("Endianness:");
#ifdef WORDS_BIGENDIAN
DEBUG2(" big");
#ifdef HAVE_OPENSSL_EVP_H
{ L("{ssha224}"), FR_SSHA2_224 },
{ L("{ssha256}"), FR_SSHA2_256 },
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
{ L("{ssha3-224}"), FR_SSHA3_224 },
{ L("{ssha3-256}"), FR_SSHA3_256 },
{ L("{ssha3-384}"), FR_SSHA3_384 },
{ L("{ssha3-512}"), FR_SSHA3_512 },
-# endif
{ L("{ssha384}"), FR_SSHA2_384 },
{ L("{ssha512}"), FR_SSHA2_512 },
#endif
#ifdef HAVE_OPENSSL_EVP_H
static fr_pair_t *password_process_sha2(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good);
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
static fr_pair_t *password_process_sha3(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good);
-# endif
#endif
static fr_pair_t *password_process_header(TALLOC_CTX *ctx, request_t *request, fr_pair_t *known_good);
.da = &attr_sha2_512,
.min_hash_len = SHA512_DIGEST_LENGTH,
},
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
[FR_SHA3] = {
.type = PASSWORD_HASH_VARIABLE,
.da = &attr_sha3,
.da = &attr_sha3_512,
.min_hash_len = SHA512_DIGEST_LENGTH
},
-# endif
#endif
[FR_SMD5] = {
.type = PASSWORD_HASH,
.da = &attr_ssha2_512,
.min_hash_len = SHA512_DIGEST_LENGTH
},
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
[FR_SSHA3_224] = {
.type = PASSWORD_HASH_SALTED,
.da = &attr_ssha3_224,
.da = &attr_ssha3_512,
.min_hash_len = SHA512_DIGEST_LENGTH
}
-# endif
#endif
};
}
}
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
/** Split SHA3 hashes into separate attributes based on their length
*
* @param[in] ctx to allocate attributes in.
return normalised;
}
}
-# endif
#endif
/** Convert a Password.With-Header attribute to the correct type
#include "bio.h"
#include <openssl/conf.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-# include <openssl/provider.h>
-#endif
+#include <openssl/provider.h>
#include <freeradius-devel/server/base.h>
#include <freeradius-devel/tls/attrs.h>
*/
static _Thread_local bool *async_pool_init;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static OSSL_PROVIDER *openssl_default_provider = NULL;
static OSSL_PROVIDER *openssl_legacy_provider = NULL;
-#endif
static uint32_t tls_instance_count = 0;
fr_tls_bio_free();
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static void _openssl_provider_free(void)
{
if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) {
}
openssl_legacy_provider = NULL;
}
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-static void _openssl_engine_free(void)
-{
- fr_tls_engine_free_all();
-}
-#endif
static int fr_openssl_cleanup(UNUSED void *uctx)
{
return -1;
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
/*
* Load the default provider for most algorithms
*/
fr_tls_log(NULL, "Failed loading legacy provider");
return -1;
}
-#endif
/*
* It's best to use OpenSSL's cleanup stack
* as then everything is cleaned up relative
* to the OPENSSL_cleanup() call.
*/
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
OPENSSL_atexit(_openssl_provider_free);
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- OPENSSL_atexit(_openssl_engine_free);
-#endif
/*
* SHA256 is in all versions of OpenSSL, but isn't
*/
EVP_add_digest(EVP_sha256());
- /*
- * FIXME - This should be done _after_
- * running any engine controls.
- */
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- fr_tls_engine_load_builtin();
-#endif
-
fr_tls_log_init();
fr_tls_bio_init();
*/
int fr_openssl_fips_mode(bool enabled)
{
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
return -1;
}
-#else
- if (!FIPS_mode_set(enabled ? 1 : 0)) {
- fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
- return -1;
- }
-#endif
return 0;
}
ctx_options |= SSL_OP_NO_TICKET;
SSL_CTX_set_options(ctx, ctx_options);
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
/*
* This controls the number of stateful or stateless
* tickets generated with TLS 1.3. In OpenSSL 1.1.0
* SSL_SESS_CACHE_OFF is not good enough.
*/
SSL_CTX_set_num_tickets(ctx, 0);
-#endif
}
/** Disable stateful session resumption for a given TLS ctx
* many session tickets by default (2), and we only
* need one.
*/
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
SSL_CTX_set_num_tickets(ctx, 1);
-#endif
}
break;
}
.dflt = "%{EAP-Type}%interpreter(server)", .quote = T_DOUBLE_QUOTED_STRING },
{ FR_CONF_OFFSET("lifetime", fr_tls_cache_conf_t, lifetime), .dflt = "1d" },
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
{ FR_CONF_OFFSET("require_extended_master_secret", fr_tls_cache_conf_t, require_extms), .dflt = "yes" },
{ FR_CONF_OFFSET("require_perfect_forward_secrecy", fr_tls_cache_conf_t, require_pfs), .dflt = "no" },
-#endif
{ FR_CONF_OFFSET("session_ticket_key", fr_tls_cache_conf_t, session_ticket_key) },
#include <openssl/rand.h>
#include <openssl/dh.h>
#include <openssl/x509v3.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-# include <openssl/provider.h>
-#endif
+#include <openssl/provider.h>
#ifndef OPENSSL_NO_ECDH
static int ctx_ecdh_curve_set(SSL_CTX *ctx, char const *ecdh_curve, bool disable_single_dh_use)
BIO *bio;
int ret;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_PKEY *dh = NULL;
-#else
- DH *dh = NULL;
-#endif
if (!file) return 0;
*
* Change suggested by @t8m
*/
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (EVP_default_properties_is_fips_enabled(NULL)) {
-# else
- if (FIPS_mode() > 0) {
-#endif
WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
return 0;
}
-#endif
if ((bio = BIO_new_file(file, "r")) == NULL) {
ERROR("Unable to open DH file - %s", file);
return -1;
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
dh = PEM_read_bio_Parameters(bio, &dh);
-#else
- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
-#endif
BIO_free(bio);
if (!dh) {
WARN("Unable to set DH parameters. DH cipher suites may not work!");
return 0;
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
ret = SSL_CTX_set0_tmp_dh_pkey(ctx, dh);
-#else
- ret = SSL_CTX_set_tmp_dh(ctx, dh);
- DH_free(dh);
-#endif
-
if (ret < 0) {
ERROR("Unable to set DH parameters");
return -1;
static inline CC_HINT(always_inline)
int tls_ctx_version_set(
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
UNUSED
-#endif
int *ctx_options, SSL_CTX *ctx, fr_tls_conf_t const *conf)
{
-
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
/*
* SSL_CTX_set_(min|max)_proto_version was included in OpenSSL 1.1.0
*
goto error;
}
}
-#else
- /*
- * OpenSSL < 1.1.0 - This doesn't need to change when new TLS versions are issued
- * as new TLS versions will never be added to older OpenSSL versions.
- */
- {
- int ctx_tls_versions = 0;
-
- /*
- * We never want SSLv2 or SSLv3.
- */
- *ctx_options |= SSL_OP_NO_SSLv2;
- *ctx_options |= SSL_OP_NO_SSLv3;
-
-# ifdef SSL_OP_NO_TLSv1
- if (conf->tls_min_version > (float) 1.0) *ctx_options |= SSL_OP_NO_TLSv1;
- ctx_tls_versions |= SSL_OP_NO_TLSv1;
-# endif
-# ifdef SSL_OP_NO_TLSv1_1
- if (conf->tls_min_version > (float) 1.1) *ctx_options |= SSL_OP_NO_TLSv1_1;
- if ((conf->tls_max_version > (float) 0.0) && (conf->tls_max_version < (float) 1.1)) {
- *ctx_options |= SSL_OP_NO_TLSv1_1;
- }
- ctx_tls_versions |= SSL_OP_NO_TLSv1_1;
-# endif
-# ifdef SSL_OP_NO_TLSv1_2
- if (conf->tls_min_version > (float) 1.2) *ctx_options |= SSL_OP_NO_TLSv1_2;
- if ((conf->tls_max_version > (float) 0.0) && (conf->tls_max_version < (float) 1.2)) {
- *ctx_options |= SSL_OP_NO_TLSv1_2;
- }
- ctx_tls_versions |= SSL_OP_NO_TLSv1_2;
-# endif
-
- if ((*ctx_options & ctx_tls_versions) == ctx_tls_versions) {
- ERROR("You have disabled all available TLS versions");
- goto error;
- }
- }
-#endif
return 0;
}
* SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
*/
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
/*
* Set the block size for record padding. This is only
* used in TLS 1.3.
*/
if (conf->padding_block_size) SSL_CTX_set_block_padding(ctx, conf->padding_block_size);
-#endif
/*
* Set elliptical curve crypto configuration.
X509_STORE_set_flags(cert_vpstore, X509_V_FLAG_USE_DELTAS);
#endif
}
-#endif
+
/*
* SSL_ctx_set_verify is now called in the session
*/
if (fr_tls_cache_ctx_init(ctx, &conf->cache) < 0) goto error;
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
/*
* Set the keylog file if the admin requested it.
*/
if ((getenv("SSLKEYLOGFILE") != NULL) || (conf->keylog_file && *conf->keylog_file)) {
SSL_CTX_set_keylog_callback(ctx, fr_tls_session_keylog_cb);
}
-#endif
return ctx;
}
#endif
}
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
/*
* By setting the environment variable SSLKEYLOGFILE to a filename keying
* material will be exported that you may use with Wireshark to decode any
close(fd);
}
-#endif
/** Decrypt application data
*
return UNLANG_ACTION_CALCULATE_RESULT;
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
/*
* Bug in OpenSSL 3.0 - Normal handshaking behaviour
* results in spurious "BIO_R_UNSUPPORTED_METHOD"
DIAG_ON(used-but-marked-unused)
DIAG_ON(DIAG_UNKNOWN_PRAGMAS)
}
-#endif
/*
* Deal with asynchronous requests from OpenSSL.
#include "strerror.h"
#include "utils.h"
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-static inline unsigned long ERR_get_error_all(const char **file, int *line,
- const char **func,
- const char **data, int *flags)
-{
- if (func != NULL) *func = "";
-
- return ERR_get_error_line_data(file, line, data, flags);
-}
-#endif
-
DIAG_OFF(DIAG_UNKNOWN_PRAGMAS)
DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */
static void _tls_cert_line_push(char const *file, int line, int idx, X509 *cert)
STACK_OF(X509) *our_chain;
int i;
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
our_chain = X509_STORE_CTX_get0_chain(x509_ctx);
-#else
- our_chain = X509_STORE_CTX_get_chain(x509_ctx);
-#endif
-
RDEBUG3("Certificate chain - %i cert(s) untrusted", untrusted);
for (i = sk_X509_num(our_chain); i > 0 ; i--) {
X509 *this_cert = sk_X509_value(our_chain, i - 1);
/*
* If there's no client certificate, we just return OK.
*/
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
cert = SSL_get0_peer_certificate(ssl); /* Does not increase ref count */
-#else
- cert = SSL_get_peer_certificate(ssl); /* Increases ref count */
-#endif
if (!cert) return 1;
ssl_ctx = SSL_get_SSL_CTX(ssl);
}
}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- X509_free(cert);
-#endif
X509_STORE_CTX_free(store_ctx);
return ret;
{
unsigned long ssl_linked;
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
ssl_linked = OpenSSL_version_num();
-#else
- ssl_linked = (unsigned long)SSLeay();
-#endif
/*
* Major and minor versions mismatch, that's bad.
return buffer;
}
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
/** Return the linked SSL version number as a string
*
* @return pointer to a static buffer containing the version string.
return buffer;
}
-# else
-/** Return the linked SSL version number as a string
- *
- * @return pointer to a static buffer containing the version string.
- */
-char const *fr_openssl_version_basic(void)
-{
- long ssl_linked;
-
- ssl_linked = SSLeay();
- return fr_openssl_version_str_from_num((uint32_t)ssl_linked);
-}
-
-/** Print the current linked version of Openssl
- *
- * Print the currently linked version of the OpenSSL library.
- *
- * @note Not thread safe.
- *
- * @return pointer to a static buffer containing libssl version information.
- */
-char const *fr_openssl_version_expanded(void)
-{
- static _Thread_local char buffer[256];
- long ssl_linked = SSLeay();
-
- snprintf(buffer, sizeof(buffer), "%s 0x%.8x (%s)",
- SSLeay_version(SSLEAY_VERSION), /* Not all builds include a useful version number */
- ssl_linked,
- fr_openssl_version_str_from_num(v));
-
- return buffer;
-}
-# endif
# ifdef ENABLE_OPENSSL_VERSION_CHECK
typedef struct {
if (strcmp(acknowledged, "yes") == 0) return 0;
/* Check for bad versions */
-
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
ssl_linked = OpenSSL_version_num();
-# else
- ssl_linked = (unsigned long)SSLeay();
-# endif
-
for (i = 0; i < (NUM_ELEMENTS(fr_openssl_defects)); i++) {
fr_openssl_defect_t *defect = &fr_openssl_defects[i];
EVP_MD_XLAT(blake2b_512, blake2b512)
#endif
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
EVP_MD_XLAT(sha3_224, sha3_224)
EVP_MD_XLAT(sha3_256, sha3_256)
EVP_MD_XLAT(sha3_384, sha3_384)
EVP_MD_XLAT(sha3_512, sha3_512)
-# endif
#endif
XLAT_REGISTER_PURE("blake2b_512", xlat_func_blake2b_512, FR_TYPE_OCTETS, xlat_func_sha_arg);
# endif
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
XLAT_REGISTER_PURE("sha3_224", xlat_func_sha3_224, FR_TYPE_OCTETS, xlat_func_sha_arg);
XLAT_REGISTER_PURE("sha3_256", xlat_func_sha3_256, FR_TYPE_OCTETS, xlat_func_sha_arg);
XLAT_REGISTER_PURE("sha3_384", xlat_func_sha3_384, FR_TYPE_OCTETS, xlat_func_sha_arg);
XLAT_REGISTER_PURE("sha3_512", xlat_func_sha3_512, FR_TYPE_OCTETS, xlat_func_sha_arg);
-# endif
#endif
XLAT_REGISTER_PURE("string", xlat_func_string, FR_TYPE_STRING, xlat_func_string_arg);
# include <openssl/evp.h>
# include <openssl/crypto.h>
# include <openssl/err.h>
-
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
-# include <openssl/provider.h>
-# endif
+# include <openssl/provider.h>
static int have_openssl_md4 = -1;
* md4 functions, and call the OpenSSL init
* function.
*/
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (!EVP_default_properties_is_fips_enabled(NULL)) {
-#else
- if (FIPS_mode() == 0) {
-#endif
have_openssl_md4 = 1;
/*
# include <openssl/evp.h>
# include <openssl/crypto.h>
# include <openssl/err.h>
-
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
-# include <openssl/provider.h>
-# endif
+# include <openssl/provider.h>
static int have_openssl_md5 = -1;
* md5 functions, and call the OpenSSL init
* function.
*/
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (!EVP_default_properties_is_fips_enabled(NULL)) {
-#else
- if (FIPS_mode() == 0) {
-#endif
have_openssl_md5 = 1;
/*
typedef enum {
RLM_CIPHER_TYPE_INVALID = 0,
RLM_CIPHER_TYPE_RSA = 1,
+ RLM_CIPHER_TYPE_SYMMETRIC = 2 //!< Any symmetric cipher available via
+ ///< OpenSSL's EVP interface.
} cipher_type_t;
/** Certificate validation modes
{ L("none"), RSA_NO_PADDING },
{ L("oaep"), RSA_PKCS1_OAEP_PADDING }, /* PKCS OAEP padding */
{ L("pkcs"), RSA_PKCS1_PADDING }, /* PKCS 1.5 */
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- { L("ssl"), RSA_SSLV23_PADDING },
-#endif
{ L("x931"), RSA_X931_PADDING }
};
static size_t cipher_rsa_padding_len = NUM_ELEMENTS(cipher_rsa_padding);
static fr_table_num_sorted_t const cipher_type[] = {
- { L("rsa"), RLM_CIPHER_TYPE_RSA }
+ { L("rsa"), RLM_CIPHER_TYPE_RSA },
+ { L("symmetric"), RLM_CIPHER_TYPE_SYMMETRIC }
};
static size_t cipher_type_len = NUM_ELEMENTS(cipher_type);
static const conf_parser_t module_config[] = {
{ FR_CONF_OFFSET_TYPE_FLAGS("type", FR_TYPE_VOID, CONF_FLAG_NOT_EMPTY, rlm_cipher_t, type), .func = cipher_type_parse, .dflt = "rsa" },
{ FR_CONF_OFFSET_SUBSECTION("rsa", 0, rlm_cipher_t, rsa, rsa_config), .subcs_size = sizeof(cipher_rsa_t), .subcs_type = "cipher_rsa_t" },
-
CONF_PARSER_TERMINATOR
};
switch (rsa_inst->padding) {
case RSA_NO_PADDING:
case RSA_X931_PADDING:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- case RSA_SSLV23_PADDING:
-#endif
case RSA_PKCS1_PADDING:
return 0;
#include <openssl/evp.h>
#include <openssl/hmac.h>
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
-# define EC_POINT_get_affine_coordinates EC_POINT_get_affine_coordinates_GFp
-# define EC_POINT_set_affine_coordinates EC_POINT_set_affine_coordinates_GFp
-#endif
-
typedef struct {
uint8_t lm_exchange;
#define EAP_PWD_EXCH_ID 1
{ L("HMACSHA2+256"), FR_SSHA2_256 },
{ L("HMACSHA2+384"), FR_SSHA2_384 },
{ L("HMACSHA2+512"), FR_SSHA2_512 },
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
{ L("HMACSHA3+224"), FR_SSHA3_224 },
{ L("HMACSHA3+256"), FR_SSHA3_256 },
{ L("HMACSHA3+384"), FR_SSHA3_384 },
{ L("HMACSHA3+512"), FR_SSHA3_512 },
-# endif
};
static size_t pbkdf2_crypt_names_len = NUM_ELEMENTS(pbkdf2_crypt_names);
PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha2_384, "SSHA2-384", EVP_sha384())
PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha2_512, "SSHA2-512", EVP_sha512())
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_224, "SHA3-224", EVP_sha3_224())
PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_256, "SHA3-256", EVP_sha3_256())
PAP_AUTH_EVP_MD(pap_auth_evp_md, pap_auth_sha3_384, "SHA3-384", EVP_sha3_384())
PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_256, "SSHA3-256", EVP_sha3_256())
PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_384, "SSHA3-384", EVP_sha3_384())
PAP_AUTH_EVP_MD(pap_auth_evp_md_salted, pap_auth_ssha3_512, "SSHA3-512", EVP_sha3_512())
-# endif
/** Validates Crypt::PBKDF2 LDAP format strings
*
digest_len = SHA512_DIGEST_LENGTH;
break;
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
case FR_SSHA3_224:
evp_md = EVP_sha3_224();
digest_len = SHA224_DIGEST_LENGTH;
evp_md = EVP_sha3_512();
digest_len = SHA512_DIGEST_LENGTH;
break;
-# endif
default:
REDEBUG("Unknown PBKDF2 hash method \"%.*s\"", (int)(q - p), p);
[FR_SSHA2_256] = pap_auth_ssha2_256,
[FR_SSHA2_384] = pap_auth_ssha2_384,
[FR_SSHA2_512] = pap_auth_ssha2_512,
-
-# if OPENSSL_VERSION_NUMBER >= 0x10101000L
[FR_SHA3] = pap_auth_dummy,
[FR_SHA3_224] = pap_auth_sha3_224,
[FR_SHA3_256] = pap_auth_sha3_256,
[FR_SSHA3_256] = pap_auth_ssha3_256,
[FR_SSHA3_384] = pap_auth_ssha3_384,
[FR_SSHA3_512] = pap_auth_ssha3_512,
-# endif
#endif /* HAVE_OPENSSL_EVP_H */
};
projects / thirdparty / freeradius-server.git / commitdiff
