openssl: Fix compilation without deprecated OpenSSL 1.1 APIs

EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were
replaced with _reset.

EVP_CIPHER_CTX_free in OpenSSL 1.1 replaces the cleanup/free combo of
earlier OpenSSL version. And OpenSSL 1.0.2 already calls cleanup as part
of _free.

Therefore we can remove the _cleanup calls and use the OpenSSL 1.1. API
everywhere.

Also removed initialisation with OpenSSL 1.1 as it is no longer
needed and causes compilation errors when disabling deprecated APIs.

Same with SSL_CTX_set_ecdh_auto as it got removed.

Patch V3: Use EVP_CIPHER_CTX_reset instead of init/cleanup

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20190724152934.9884-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18700.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/configure.ac b/configure.ac
index e9f8a2f988cbeeb324a862999a69f18ff8ce4f2d..c7fd7a84d5994247bae4b9a92cb5239ce0123a94 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -919,10 +919,13 @@ if test "${with_crypto_library}" = "openssl"; then
                        EVP_MD_CTX_new \
                        EVP_MD_CTX_free \
                        EVP_MD_CTX_reset \
+                       EVP_CIPHER_CTX_reset \
                        OpenSSL_version \
                        SSL_CTX_get_default_passwd_cb \
                        SSL_CTX_get_default_passwd_cb_userdata \
                        SSL_CTX_set_security_level \
+                       X509_get0_notBefore \
+                       X509_get0_notAfter \
                        X509_get0_pubkey \
                        X509_STORE_get0_objects \
                        X509_OBJECT_free \

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 8bf33e7b17f761a0dc1c9faefcf9859d5035e543..65e789ed80b0543ee6a124378ea6ec7e7fbe768a 100644 (file)
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -895,7 +895,6 @@ free_key_ctx(struct key_ctx *ctx)
 {
     if (ctx->cipher)
     {
-        cipher_ctx_cleanup(ctx->cipher);
         cipher_ctx_free(ctx->cipher);
         ctx->cipher = NULL;
     }

diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 7e9a4bd2ca566762ba52630f214d98c2ef93163f..d119442f0299ecb14c5f4f06d982c4bd2a8c4a68 100644 (file)
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -341,7 +341,7 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher);
 cipher_ctx_t *cipher_ctx_new(void);
 
 /**
- * Free a cipher context
+ * Cleanup and free a cipher context
  *
  * @param ctx           Cipher context.
  */
@@ -360,13 +360,6 @@ void cipher_ctx_free(cipher_ctx_t *ctx);
 void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, int key_len,
                      const cipher_kt_t *kt, int enc);
 
-/**
- * Cleanup the specified context.
- *
- * @param ctx   Cipher context to cleanup.
- */
-void cipher_ctx_cleanup(cipher_ctx_t *ctx);
-
 /**
  * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is
  * used.

diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 2e931440dc220349891545bd6187cccd8477f636..f924323d115f9f8d1323706631ff5b3d9a55a251 100644 (file)
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -616,12 +616,6 @@ cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key, int key_len,
     ASSERT(ctx->key_bitlen <= key_len*8);
 }
 
-void
-cipher_ctx_cleanup(mbedtls_cipher_context_t *ctx)
-{
-    mbedtls_cipher_free(ctx);
-}
-
 int
 cipher_ctx_iv_length(const mbedtls_cipher_context_t *ctx)
 {
@@ -861,6 +855,7 @@ md_ctx_new(void)
 void
 md_ctx_free(mbedtls_md_context_t *ctx)
 {
+    mbedtls_cipher_free(ctx);
     free(ctx);
 }
 

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index c049e52db57f13d856539c2783de139cbd1b63a5..520e40ee304a2244aaa20ec8fcfae0793a4ecb96 100644 (file)
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -772,7 +772,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len,
 {
     ASSERT(NULL != kt && NULL != ctx);
 
-    EVP_CIPHER_CTX_init(ctx);
+    EVP_CIPHER_CTX_reset(ctx);
     if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
     {
         crypto_msg(M_FATAL, "EVP cipher init #1");
@@ -792,12 +792,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len,
     ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= key_len);
 }
 
-void
-cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx)
-{
-    EVP_CIPHER_CTX_cleanup(ctx);
-}
-
 int
 cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx)
 {

diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index a4072b9a7eb4bbfad2f97ce1b84c592634cc9e73..4ac8f24dee4f883b753eed7076fc32481afb8464 100644 (file)
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -89,6 +89,18 @@ EVP_MD_CTX_new(void)
 }
 #endif
 
+#if !defined(HAVE_EVP_CIPHER_CTX_RESET)
+#define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_init
+#endif
+
+#if !defined(HAVE_X509_GET0_NOTBEFORE)
+#define X509_get0_notBefore X509_get_notBefore
+#endif
+
+#if !defined(HAVE_X509_GET0_NOTAFTER)
+#define X509_get0_notAfter X509_get_notAfter
+#endif
+
 #if !defined(HAVE_HMAC_CTX_RESET)
 /**
  * Reset a HMAC context

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8bcebac452d9502a6d48731e011e3cb1f236be56..07916c3c868482484aed876384b5e898d7783bc5 100644 (file)
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */
 void
 tls_init_lib(void)
 {
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
     SSL_library_init();
 #ifndef ENABLE_SMALL
     SSL_load_error_strings();
 #endif
     OpenSSL_add_all_algorithms();
-
+#endif
     mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL);
     ASSERT(mydata_index >= 0);
 }
@@ -89,10 +90,12 @@ tls_init_lib(void)
 void
 tls_free_lib(void)
 {
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
     EVP_cleanup();
 #ifndef ENABLE_SMALL
     ERR_free_strings();
 #endif
+#endif
 }
 
 void
@@ -541,7 +544,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
         goto cleanup; /* Nothing to check if there is no certificate */
     }
 
-    ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
+    ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
     if (ret == 0)
     {
         msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
@@ -551,7 +554,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
         msg(M_WARN, "WARNING: Your certificate is not yet valid!");
     }
 
-    ret = X509_cmp_time(X509_get_notAfter(cert), NULL);
+    ret = X509_cmp_time(X509_get0_notAfter(cert), NULL);
     if (ret == 0)
     {
         msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
@@ -634,10 +637,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
     else
     {
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
+
         /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
          * loading */
         SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
         return;
+#endif
 #else
         /* For older OpenSSL we have to extract the curve from key on our own */
         EC_KEY *eckey = NULL;