m4: Update ssl.m4

diff --git a/m4/ssl.m4 b/m4/ssl.m4
index 6c2a0eaa953bfcfe57e330ff84fd7cb5f588bebc..e3a1656623e8368336025715f384e8fe6cd6c863 100644 (file)
--- a/m4/ssl.m4
+++ b/m4/ssl.m4
@@ -1,3 +1,25 @@
+dnl DOVECOT_CHECK_SSL_FUNC(function)
+AC_DEFUN([DOVECOT_CHECK_SSL_FUNC], [
+   AC_CHECK_DECL([$1], AC_DEFINE(HAVE_$1,, [Define if you have $1]),,
+[[#include <openssl/opensslv.h>
+#include <openssl/pem.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/ec.h>
+#include <openssl/ssl.h>
+#include <openssl/hmac.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/encoder.h>
+#include <openssl/decoder.h>
+#include <openssl/params.h>
+#include <openssl/provider.h>
+#include <openssl/core.h>
+#endif
+#include <openssl/objects.h>
+#include <openssl/err.h>
+]])
+])
+
 AC_DEFUN([DOVECOT_SSL], [
   build_dcrypt_openssl=no
   have_openssl=no
@@ -34,28 +56,10 @@ AC_DEFUN([DOVECOT_SSL], [
     AC_MSG_ERROR([OpenSSL v1.0.2 or better required to build Dovecot])
   ])
 
-  dnl * SSL_clear_options introduced in openssl 0.9.8m but may be backported to
-  dnl * older versions in "enterprise" OS releases; originally implemented as a
-  dnl * macro but as a function in more recent openssl versions
-  AC_CACHE_CHECK([whether SSL_clear_options exists],i_cv_have_ssl_clear_options,[
-    old_LIBS=$LIBS
-    LIBS="$LIBS -lssl"
-    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-      #include <openssl/ssl.h>
-    ]], [[
-      SSL *ssl;
-      long options;
-      SSL_clear_options(ssl, options);
-    ]])], [
-      i_cv_have_ssl_clear_options=yes
-    ],[
-      i_cv_have_ssl_clear_options=no
-    ])
-    LIBS=$old_LIBS
-  ])
-  AS_IF([test $i_cv_have_ssl_clear_options = yes], [
-    AC_DEFINE(HAVE_SSL_CLEAR_OPTIONS,, [Define if you have SSL_clear_options])
-  ])
+  SSL_CFLAGS="$SSL_CFLAGS -DOPENSSL_NO_DEPRECATED -DOPENSSL_API_COMPAT=0x1000200L"
+
+  old_CFLAGS="$CFLAGS"
+  CFLAGS="$old_CFLAGS $SSL_CFLAGS"
 
   dnl * New style mem functions? Should be in v1.1+
   AC_CACHE_CHECK([whether CRYPTO_set_mem_functions has new style parameters],i_cv_have_ssl_new_mem_funcs,[
@@ -79,95 +83,45 @@ AC_DEFUN([DOVECOT_SSL], [
     AC_DEFINE(HAVE_SSL_NEW_MEM_FUNCS,, [Define if CRYPTO_set_mem_functions has new style parameters])
   ])
 
-  dnl * SSL_CTX_set_min_proto_version is also a macro so AC_CHECK_LIB fails here.
-  AC_CACHE_CHECK([whether SSL_CTX_set_min_proto_version exists],i_cv_have_ssl_ctx_set_min_proto_version,[
-    old_LIBS=$LIBS
-    LIBS="$LIBS -lssl"
-    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-      #include <openssl/ssl.h>
-    ]], [[
-      SSL_CTX_set_min_proto_version((void*)0, 0);
-    ]])],[
-      i_cv_have_ssl_ctx_set_min_proto_version=yes
-    ],[
-      i_cv_have_ssl_ctx_set_min_proto_version=no
-    ])
-    LIBS=$old_LIBS
-  ])
-  AS_IF([test $i_cv_have_ssl_ctx_set_min_proto_version = yes], [
-    AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION,, [Define if you have SSL_CTX_set_min_proto_version])
-  ])
-
-  dnl * SSL_CTX_set_current_cert is also a macro so AC_CHECK_LIB fails here.
-  AC_CACHE_CHECK([whether SSL_CTX_set_current_cert exists],i_cv_have_ssl_ctx_set_current_cert,[
-    old_LIBS=$LIBS
-    LIBS="$LIBS -lssl"
-    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-      #include <openssl/ssl.h>
-    ]], [[
-      SSL_CTX_set_current_cert((void*)0, 0);
-    ]])],[
-      i_cv_have_ssl_ctx_set_current_cert=yes
-    ],[
-      i_cv_have_ssl_ctx_set_current_cert=no
-    ])
-    LIBS=$old_LIBS
-  ])
-  AS_IF([test $i_cv_have_ssl_ctx_set_current_cert = yes], [
-    AC_DEFINE(HAVE_SSL_CTX_SET_CURRENT_CERT,, [Define if you have SSL_CTX_set_current_cert])
-  ])
-
-
-  AC_CHECK_LIB(ssl, SSL_CIPHER_get_kx_nid, [
-    AC_DEFINE(HAVE_SSL_CIPHER_get_kx_nid,, [Define if you have SSL_CIPHER_get_kx_nid])
-  ],, $SSL_LIBS)
+  DOVECOT_CHECK_SSL_FUNC([ASN1_STRING_get0_data])
+  DOVECOT_CHECK_SSL_FUNC([BN_secure_new])
+  DOVECOT_CHECK_SSL_FUNC([ECDSA_SIG_get0])
+  DOVECOT_CHECK_SSL_FUNC([ECDSA_SIG_set0])
+  DOVECOT_CHECK_SSL_FUNC([EC_GROUP_order_bits])
+  DOVECOT_CHECK_SSL_FUNC([ERR_get_error_all])
+  DOVECOT_CHECK_SSL_FUNC([ERR_get_error_line_data])
+  DOVECOT_CHECK_SSL_FUNC([ERR_remove_state])
+  DOVECOT_CHECK_SSL_FUNC([ERR_remove_thread_state])
+  DOVECOT_CHECK_SSL_FUNC([EVP_EC_gen])
+  DOVECOT_CHECK_SSL_FUNC([EVP_MAC_CTX_new])
+  DOVECOT_CHECK_SSL_FUNC([EVP_MD_CTX_new])
+  DOVECOT_CHECK_SSL_FUNC([EVP_PKEY_get0_RSA])
+  DOVECOT_CHECK_SSL_FUNC([EVP_PKEY_get0_EC_KEY])
+  DOVECOT_CHECK_SSL_FUNC([EVP_PKEY_get0_DH])
+  DOVECOT_CHECK_SSL_FUNC([EVP_PKEY_set1_encoded_public_key])
+  DOVECOT_CHECK_SSL_FUNC([EVP_PKEY_EC])
+  DOVECOT_CHECK_SSL_FUNC([HMAC_CTX_init])
+  DOVECOT_CHECK_SSL_FUNC([HMAC_CTX_new])
+  DOVECOT_CHECK_SSL_FUNC([OBJ_cleanup])
+  DOVECOT_CHECK_SSL_FUNC([OBJ_length])
+  DOVECOT_CHECK_SSL_FUNC([OPENSSL_cleanup])
+  DOVECOT_CHECK_SSL_FUNC([OPENSSL_init_ssl])
+  DOVECOT_CHECK_SSL_FUNC([OPENSSL_thread_stop])
+  DOVECOT_CHECK_SSL_FUNC([OSSL_PROVIDER_try_load])
+  DOVECOT_CHECK_SSL_FUNC([PEM_read_bio_Parameters])
+  DOVECOT_CHECK_SSL_FUNC([RSA_set0_crt_params])
+  DOVECOT_CHECK_SSL_FUNC([RSA_set0_factors])
+  DOVECOT_CHECK_SSL_FUNC([RSA_set0_key])
+  DOVECOT_CHECK_SSL_FUNC([SSL_CIPHER_get_kx_nid])
+  DOVECOT_CHECK_SSL_FUNC([SSL_clear_options])
+  DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set0_tmp_dh_pkey])
+  DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_ciphersuites])
+  DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_current_cert])
+  DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_min_proto_version])
+  DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_tmp_dh_callback])
+  DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_tmp_rsa_callback])
+  DOVECOT_CHECK_SSL_FUNC([SSL_get1_peer_certificate])
+  DOVECOT_CHECK_SSL_FUNC([SSL_load_error_strings])
 
-  AC_CHECK_LIB(ssl, ERR_remove_thread_state, [
-    AC_DEFINE(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE,, [Define if you have ERR_remove_thread_state])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, OPENSSL_thread_stop, [
-    AC_DEFINE(HAVE_OPENSSL_AUTO_THREAD_DEINIT,, [Define if OpenSSL performs thread cleanup automatically])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, OPENSSL_cleanup, [
-    AC_DEFINE(HAVE_OPENSSL_CLEANUP,, [OpenSSL supports OPENSSL_cleanup()])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, ASN1_STRING_get0_data, [
-    AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA,, [Build with ASN1_STRING_get0_data() support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, HMAC_CTX_new, [
-    AC_DEFINE(HAVE_HMAC_CTX_NEW,, [Build with HMAC_CTX_new() support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, EVP_MD_CTX_new, [
-    AC_DEFINE(HAVE_EVP_MD_CTX_NEW,, [Build with EVP_MD_CTX_new() support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, OBJ_length, [
-    AC_DEFINE(HAVE_OBJ_LENGTH,, [Build with OBJ_length() support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, EVP_PKEY_get0_RSA, [
-    AC_DEFINE(HAVE_EVP_PKEY_get0,, [Build with EVP_PKEY_get0_*() support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [
-    AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES,, [Build with SSL_CTX_set_ciphersuites() support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, BN_secure_new, [
-    AC_DEFINE(HAVE_BN_SECURE_NEW,, [Build with BN_secure_new support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, RSA_set0_key, [
-    AC_DEFINE(HAVE_RSA_SET0_KEY,, [Build with RSA_set0_key support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, RSA_set0_factors, [
-    AC_DEFINE(HAVE_RSA_SET0_FACTORS,, [Build with RSA_set0_factors support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, RSA_set0_crt_params, [
-    AC_DEFINE(HAVE_RSA_SET0_CRT_PARAMS,, [Build with RSA_set0_crt_params support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, ECDSA_SIG_get0, [
-    AC_DEFINE(HAVE_ECDSA_SIG_GET0,, [Build with ECDSA_SIG_get0 support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, ECDSA_SIG_set0, [
-    AC_DEFINE(HAVE_ECDSA_SIG_SET0,, [Build with ECDSA_SIG_set0 support])
-  ],, $SSL_LIBS)
-  AC_CHECK_LIB(ssl, EC_GROUP_order_bits, [
-    AC_DEFINE(HAVE_EC_GROUP_order_bits,, [Build with EC_GROUP_order_bits support])
-  ],, $SSL_LIBS)
+  CFLAGS="$old_CFLAGS"
 ])

diff --git a/src/lib-dcrypt/dcrypt-openssl.c b/src/lib-dcrypt/dcrypt-openssl.c
index ea8b31ecbabd886f86c39157cee777aca8797350..510a0ab724fa9afeb636d9ca65d75a627128242e 100644 (file)
--- a/src/lib-dcrypt/dcrypt-openssl.c
+++ b/src/lib-dcrypt/dcrypt-openssl.c
@@ -73,21 +73,23 @@
   2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
 **/
 
-#ifndef HAVE_EVP_PKEY_get0
+#ifndef HAVE_EVP_PKEY_get0_EC_KEY
 #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
+#endif
+#ifndef HAVE_EVP_PKEY_get0_RSA
 #define EVP_PKEY_get0_RSA(x) x->pkey.rsa
 #endif
 
-#ifndef HAVE_OBJ_LENGTH
+#ifndef HAVE_OBJ_length
 #define OBJ_length(o) ((o)->length)
 #endif
 
-#ifndef HAVE_EVP_MD_CTX_NEW
+#ifndef HAVE_EVP_MD_CTX_new
 #  define EVP_MD_CTX_new() EVP_MD_CTX_create()
 #  define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy(ctx)
 #endif
 
-#ifndef HAVE_HMAC_CTX_NEW
+#ifndef HAVE_HMAC_CTX_new
 #  define HMAC_Init_ex(ctx, key, key_len, md, impl) \
        HMAC_Init_ex(&(ctx), key, key_len, md, impl)
 #  define HMAC_Update(ctx, data, len) HMAC_Update(&(ctx), data, len)
@@ -99,7 +101,7 @@
 #endif
 
 /* Not always present */
-#ifndef HAVE_BN_SECURE_NEW
+#ifndef HAVE_BN_secure_new
 #  define BN_secure_new BN_new
 #endif
 
@@ -125,7 +127,7 @@ struct dcrypt_context_symmetric {
 struct dcrypt_context_hmac {
        pool_t pool;
        const EVP_MD *md;
-#ifdef HAVE_HMAC_CTX_NEW
+#ifdef HAVE_HMAC_CTX_new
        HMAC_CTX *ctx;
 #else
        HMAC_CTX ctx;
@@ -627,7 +629,7 @@ dcrypt_openssl_ctx_hmac_init(struct dcrypt_context_hmac *ctx,
        int ec;
 
        i_assert(ctx->md != NULL);
-#ifdef HAVE_HMAC_CTX_NEW
+#ifdef HAVE_HMAC_CTX_new
        ctx->ctx = HMAC_CTX_new();
        if (ctx->ctx == NULL)
                return dcrypt_openssl_error(error_r);
@@ -1593,7 +1595,7 @@ static bool load_jwk_ec_key(EVP_PKEY **key_r, bool want_private_key,
 }
 
 /* RSA helpers */
-#if !defined(HAVE_RSA_SET0_KEY)
+#if !defined(HAVE_RSA_set0_key)
 static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
 {
        if (n == NULL || e == NULL) {
@@ -1609,7 +1611,7 @@ static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
        return 1;
 }
 #endif
-#if !defined(HAVE_RSA_SET0_FACTORS)
+#if !defined(HAVE_RSA_set0_factors)
 static int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
 {
        if (p == NULL || q == NULL) {
@@ -1623,7 +1625,7 @@ static int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
        return 1;
 }
 #endif
-#if !defined(HAVE_RSA_SET0_CRT_PARAMS)
+#if !defined(HAVE_RSA_set0_crt_params)
 static int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
 {
        if (dmp1 == NULL || dmq1 == NULL || iqmp == NULL) {
@@ -3123,7 +3125,7 @@ dcrypt_openssl_digest(const char *algorithm, const void *data, size_t data_len,
        return ret;
 }
 
-#ifndef HAVE_ECDSA_SIG_GET0
+#ifndef HAVE_ECDSA_SIG_get0
 static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
 {
        i_assert(sig != NULL);
@@ -3131,7 +3133,7 @@ static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM
        *ps = sig->s;
 }
 #endif
-#ifndef HAVE_ECDSA_SIG_SET0
+#ifndef HAVE_ECDSA_SIG_set0
 static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
 {
        if (sig == NULL || r == NULL || s == NULL) {

diff --git a/src/lib-ssl-iostream/dovecot-openssl-common.c b/src/lib-ssl-iostream/dovecot-openssl-common.c
index e784a96935382c4e582cf31de90bfac415b6bebf..72ef119e8063f401835d61f09c10fefd7a30febb 100644 (file)
--- a/src/lib-ssl-iostream/dovecot-openssl-common.c
+++ b/src/lib-ssl-iostream/dovecot-openssl-common.c
@@ -88,17 +88,17 @@ bool dovecot_openssl_common_global_unref(void)
        ENGINE_cleanup();
        EVP_cleanup();
        CRYPTO_cleanup_all_ex_data();
-#ifdef HAVE_OPENSSL_AUTO_THREAD_DEINIT
+#ifdef HAVE_OPENSSL_thread_stop
        /* no cleanup needed */
-#elif defined(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE)
+#elif defined(HAVE_ERR_remove_thread_state)
        /* This was marked as deprecated in v1.1. */
        ERR_remove_thread_state(NULL);
-#else
+#elif defined(HAVE_ERR_remove_state)
        /* This was deprecated by ERR_remove_thread_state(NULL) in v1.0.0. */
        ERR_remove_state(0);
 #endif
        ERR_free_strings();
-#ifdef HAVE_OPENSSL_CLEANUP
+#ifdef HAVE_OPENSSL_cleanup
        OPENSSL_cleanup();
 #endif
        return FALSE;

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 9736cb464fb3a8f11f64010f0258bdf459d0e8bc..3da5b6af642ac28bc2a1a3158c1bceab7849ff76 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -205,7 +205,7 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert)
                ret = 0;
 
        if (ret != 0) {
-#ifdef HAVE_SSL_CTX_SET_CURRENT_CERT
+#ifdef HAVE_SSL_CTX_set_current_cert
                SSL_CTX_select_current_cert(ctx, x);
 #endif
                /* If we could set up our certificate, now proceed to
@@ -234,7 +234,7 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert)
 end:
        if (x != NULL) X509_free(x);
        BIO_free(in);
-#ifdef HAVE_SSL_CTX_SET_CURRENT_CERT
+#ifdef HAVE_SSL_CTX_set_current_cert
        SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
 #endif
        return ret;
@@ -412,7 +412,7 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx,
                        set->curve_list);
                return -1;
        }
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+#ifdef HAVE_SSL_CTX_set_ciphersuites
        if (set->ciphersuites != NULL &&
            SSL_CTX_set_ciphersuites(ctx->ssl_ctx, set->ciphersuites) == 0) {
                *error_r = t_strdup_printf("Can't set ciphersuites to '%s': %s",
@@ -434,7 +434,7 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx,
                                        set->min_protocol);
                        return -1;
                }
-#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+#ifdef HAVE_SSL_CTX_SET_min_proto_version
                SSL_CTX_set_min_proto_version(ctx->ssl_ctx, min_protocol);
 #else
                SSL_CTX_set_options(ctx->ssl_ctx, opts);

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 3042a3ec37694f0b738ba171c24c9966082a4c72..825967bdb093115fa7b5b3341bb5b4dc049cbbbc 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -190,7 +190,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
                        return -1;
                }
        }
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+#ifdef HAVE_SSL_CTX_set_ciphersuites
         if (set->ciphersuites != NULL &&
            strcmp(ctx_set->ciphersuites, set->ciphersuites) != 0) {
                if (SSL_set_ciphersuites(ssl_io->ssl, set->ciphersuites) == 0) {
@@ -204,7 +204,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
        if (set->prefer_server_ciphers)
                SSL_set_options(ssl_io->ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
        if (set->min_protocol != NULL) {
-#if defined(HAVE_SSL_CLEAR_OPTIONS)
+#if defined(HAVE_SSL_clear_options)
                SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS);
 #endif
                long opts;
@@ -216,7 +216,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
                                        set->min_protocol);
                        return -1;
                }
-#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+#ifdef HAVE_SSL_CTX_set_min_proto_version
                SSL_set_min_proto_version(ssl_io->ssl, min_protocol);
 #else
                SSL_set_options(ssl_io->ssl, opts);