We no longer support any version without this API.
if (!cipher_)
return;
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
-#ifdef OPENSSL_1_1_API
EVP_CIPHER_CTX_reset(cipher);
-#else
- EVP_CIPHER_CTX_cleanup(cipher);
-#endif
EVP_CIPHER_CTX_free(cipher);
}
void
* \brief compatibility definitions for working with different openssl forks
**/
-#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1)
-#error "We require OpenSSL >= 1.0.1"
-#endif
-
-#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
-/* We define this macro if we're trying to build with the majorly refactored
- * API in OpenSSL 1.1 */
-#define OPENSSL_1_1_API
-#endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && ... */
-
-/* LibreSSL claims to be OpenSSL 2.0 but lacks these OpenSSL 1.1 APIs */
-#if !defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+/* LibreSSL claims to be OpenSSL 2.0 but lacks this OpenSSL 1.1 API. */
+#if defined(LIBRESSL_VERSION_NUMBER)
#define RAND_OpenSSL() RAND_SSLeay()
-#define STATE_IS_SW_SERVER_HELLO(st) \
- (((st) == SSL3_ST_SW_SRVR_HELLO_A) || \
- ((st) == SSL3_ST_SW_SRVR_HELLO_B))
#define OSSL_HANDSHAKE_STATE int
-#define CONST_IF_OPENSSL_1_1_API
-#else
-#define STATE_IS_SW_SERVER_HELLO(st) \
- ((st) == TLS_ST_SW_SRVR_HELLO)
-#define CONST_IF_OPENSSL_1_1_API const
#endif
-/* OpenSSL 1.1 and LibreSSL both have these APIs */
-#ifndef OPENSSL_1_1_API
-#define OpenSSL_version(v) SSLeay_version(v)
-#define tor_OpenSSL_version_num() SSLeay()
-#else /* defined(OPENSSL_1_1_API) */
#define tor_OpenSSL_version_num() OpenSSL_version_num()
-#endif /* !defined(OPENSSL_1_1_API) */
#endif /* defined(ENABLE_OPENSSL) */
/* Copy into a temporary DH object, just so that DH_check() can be called. */
if (!(dh = DH_new()))
goto out;
-#ifdef OPENSSL_1_1_API
+
BIGNUM *dh_p, *dh_g;
if (!(dh_p = BN_dup(p)))
goto out;
goto out;
if (!DH_set0_pqg(dh, dh_p, NULL, dh_g))
goto out;
-#else /* !defined(OPENSSL_1_1_API) */
- if (!(dh->p = BN_dup(p)))
- goto out;
- if (!(dh->g = BN_dup(g)))
- goto out;
-#endif /* defined(OPENSSL_1_1_API) */
/* Perform the validation. */
int codes = 0;
goto err;
}
-#ifdef OPENSSL_1_1_API
-
if (!DH_set0_pqg(res_dh, dh_p, NULL, dh_g)) {
goto err;
}
if (!DH_set_length(res_dh, DH_PRIVATE_KEY_BITS))
goto err;
-#else /* !defined(OPENSSL_1_1_API) */
- res_dh->p = dh_p;
- res_dh->g = dh_g;
- res_dh->length = DH_PRIVATE_KEY_BITS;
-#endif /* defined(OPENSSL_1_1_API) */
return res_dh;
int
crypto_dh_generate_public(crypto_dh_t *dh)
{
-#ifndef OPENSSL_1_1_API
- again:
-#endif
if (!DH_generate_key(dh->dh)) {
/* LCOV_EXCL_START
* To test this we would need some way to tell openssl to break DH. */
return -1;
/* LCOV_EXCL_STOP */
}
-#ifdef OPENSSL_1_1_API
+
/* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without
* recreating the DH object. I have no idea what sort of aliasing madness
* can occur here, so do the check, and just bail on failure.
"the-universe chances really do happen. Treating as a failure.");
return -1;
}
-#else /* !defined(OPENSSL_1_1_API) */
- if (tor_check_dh_key(LOG_WARN, dh->dh->pub_key)<0) {
- /* LCOV_EXCL_START
- * If this happens, then openssl's DH implementation is busted. */
- log_warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-"
- "the-universe chances really do happen. Trying again.");
- /* Free and clear the keys, so OpenSSL will actually try again. */
- BN_clear_free(dh->dh->pub_key);
- BN_clear_free(dh->dh->priv_key);
- dh->dh->pub_key = dh->dh->priv_key = NULL;
- goto again;
- /* LCOV_EXCL_STOP */
- }
-#endif /* defined(OPENSSL_1_1_API) */
+
return 0;
}
const BIGNUM *dh_pub;
-#ifdef OPENSSL_1_1_API
const BIGNUM *dh_priv;
DH_get0_key(dh->dh, &dh_pub, &dh_priv);
-#else
- dh_pub = dh->dh->pub_key;
-#endif /* defined(OPENSSL_1_1_API) */
if (!dh_pub) {
if (crypto_dh_generate_public(dh)<0)
return -1;
else {
-#ifdef OPENSSL_1_1_API
DH_get0_key(dh->dh, &dh_pub, &dh_priv);
-#else
- dh_pub = dh->dh->pub_key;
-#endif
}
}
void
crypto_openssl_early_init(void)
{
-#ifdef OPENSSL_1_1_API
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
OPENSSL_INIT_LOAD_CRYPTO_STRINGS |
OPENSSL_INIT_ADD_ALL_CIPHERS |
OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
-#else /* !defined(OPENSSL_1_1_API) */
- ERR_load_crypto_strings();
- OpenSSL_add_all_algorithms();
-#endif /* defined(OPENSSL_1_1_API) */
setup_openssl_threading();
-#ifdef OPENSSL_1_1_API
unsigned long version_num = tor_OpenSSL_version_num();
const char *version_str = crypto_openssl_get_version_str();
if (version_num == OPENSSL_VERSION_NUMBER &&
(unsigned long)OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT,
version_num, version_str);
}
-#endif /* defined(OPENSSL_1_1_API) */
crypto_force_rand_ssleay();
}
used by Tor and the set of algorithms available in the engine */
log_engine("RSA", ENGINE_get_default_RSA());
log_engine("DH", ENGINE_get_default_DH());
-#ifdef OPENSSL_1_1_API
log_engine("EC", ENGINE_get_default_EC());
-#else
- log_engine("ECDH", ENGINE_get_default_ECDH());
- log_engine("ECDSA", ENGINE_get_default_ECDSA());
-#endif /* defined(OPENSSL_1_1_API) */
log_engine("RAND", ENGINE_get_default_RAND());
log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));
void
crypto_openssl_global_cleanup(void)
{
-#ifndef OPENSSL_1_1_API
- EVP_cleanup();
-#endif
#ifndef NEW_THREAD_API
ERR_remove_thread_state(NULL);
-#endif
-#ifndef OPENSSL_1_1_API
- ERR_free_strings();
-#endif
-
-#ifndef DISABLE_ENGINES
-#ifndef OPENSSL_1_1_API
- ENGINE_cleanup();
-#endif
#endif
CONF_modules_unload(1);
-#ifndef OPENSSL_1_1_API
- CRYPTO_cleanup_all_ex_data();
-#endif
crypto_openssl_free_all();
}
int
crypto_pk_key_is_private(const crypto_pk_t *k)
{
-#ifdef OPENSSL_1_1_API
if (!k || !k->key)
return 0;
const BIGNUM *p, *q;
RSA_get0_factors(k->key, &p, &q);
return p != NULL; /* XXX/yawning: Should we check q? */
-#else /* !defined(OPENSSL_1_1_API) */
- return k && k->key && k->key->p;
-#endif /* defined(OPENSSL_1_1_API) */
}
/** used by tortls.c: wrap an RSA* in a crypto_pk_t. Takes ownership of
const BIGNUM *e;
-#ifdef OPENSSL_1_1_API
const BIGNUM *n, *d;
RSA_get0_key(env->key, &n, &e, &d);
-#else
- e = env->key->e;
-#endif /* defined(OPENSSL_1_1_API) */
return BN_is_word(e, TOR_RSA_EXPONENT);
}
const BIGNUM *a_n, *a_e;
const BIGNUM *b_n, *b_e;
-#ifdef OPENSSL_1_1_API
const BIGNUM *a_d, *b_d;
RSA_get0_key(a->key, &a_n, &a_e, &a_d);
RSA_get0_key(b->key, &b_n, &b_e, &b_d);
-#else
- a_n = a->key->n;
- a_e = a->key->e;
- b_n = b->key->n;
- b_e = b->key->e;
-#endif /* defined(OPENSSL_1_1_API) */
tor_assert(a_n != NULL && a_e != NULL);
tor_assert(b_n != NULL && b_e != NULL);
tor_assert(env);
tor_assert(env->key);
-#ifdef OPENSSL_1_1_API
/* It's so stupid that there's no other way to check that n is valid
* before calling RSA_bits().
*/
tor_assert(n != NULL);
return RSA_bits(env->key);
-#else /* !defined(OPENSSL_1_1_API) */
- tor_assert(env->key->n);
- return BN_num_bits(env->key->n);
-#endif /* defined(OPENSSL_1_1_API) */
}
/** Increase the reference count of <b>env</b>, and return it.
rsa_private_key_too_long(RSA *rsa, int max_bits)
{
const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp;
-#if defined(OPENSSL_1_1_API) && \
- (!defined(LIBRESSL_VERSION_NUMBER) || \
- LIBRESSL_VERSION_NUMBER >= OPENSSL_V_SERIES(3,5,0))
-#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1)
n = RSA_get0_n(rsa);
e = RSA_get0_e(rsa);
p = RSA_get0_p(rsa);
dmp1 = RSA_get0_dmp1(rsa);
dmq1 = RSA_get0_dmq1(rsa);
iqmp = RSA_get0_iqmp(rsa);
-#else /* !(OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1)) */
- /* The accessors above did not exist in openssl 1.1.0. */
- p = q = dmp1 = dmq1 = iqmp = NULL;
- RSA_get0_key(rsa, &n, &e, &d);
-#endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1) */
if (RSA_bits(rsa) > max_bits)
return true;
-#else /* !defined(OPENSSL_1_1_API) && ... */
- n = rsa->n;
- e = rsa->e;
- p = rsa->p;
- q = rsa->q;
- d = rsa->d;
- dmp1 = rsa->dmp1;
- dmq1 = rsa->dmq1;
- iqmp = rsa->iqmp;
-#endif /* defined(OPENSSL_1_1_API) && ... */
if (n && BN_num_bits(n) > max_bits)
return true;
case SSL_R_HTTP_REQUEST:
case SSL_R_HTTPS_PROXY_REQUEST:
case SSL_R_RECORD_LENGTH_MISMATCH:
-#ifndef OPENSSL_1_1_API
- case SSL_R_RECORD_TOO_LARGE:
-#endif
case SSL_R_UNKNOWN_PROTOCOL:
case SSL_R_UNSUPPORTED_PROTOCOL:
severity = LOG_INFO;
check_no_tls_errors();
if (!tls_library_is_initialized) {
-#ifdef OPENSSL_1_1_API
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
-#else
- SSL_library_init();
- SSL_load_error_strings();
-#endif /* defined(OPENSSL_1_1_API) */
-
-#if (SIZEOF_VOID_P >= 8 && \
- OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1) && \
- (!defined(LIBRESSL_VERSION_NUMBER) || \
- LIBRESSL_VERSION_NUMBER < 0x3080000fL))
- long version = tor_OpenSSL_version_num();
+#if (SIZEOF_VOID_P >= 8)
/* LCOV_EXCL_START : we can't test these lines on the same machine */
- if (version >= OPENSSL_V_SERIES(1,0,1)) {
+ {
+ /* TODO: I'm not sure that this test is still necessary on our
+ * supported openssl/libressl versions. */
+
/* Warn if we could *almost* be running with much faster ECDH.
If we're built for a 64-bit target, using OpenSSL 1.0.1, but we
don't have one of the built-in __uint128-based speedups, we are
"when configuring it) would make ECDH much faster.");
}
/* LCOV_EXCL_STOP */
-#endif /* (SIZEOF_VOID_P >= 8 && ... */
+#endif /* (SIZEOF_VOID_P >= 8 */
tor_tls_allocate_tor_tls_object_ex_data_index();
#include <stdlib.h>
#include <string.h>
-#ifdef OPENSSL_1_1_API
#define X509_get_notBefore_const(cert) \
X509_get0_notBefore(cert)
#define X509_get_notAfter_const(cert) \
#define X509_get_notAfter(cert) \
X509_getm_notAfter(cert)
#endif
-#else /* !defined(OPENSSL_1_1_API) */
-#define X509_get_notBefore_const(cert) \
- ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert))
-#define X509_get_notAfter_const(cert) \
- ((const ASN1_TIME*) X509_get_notAfter((X509 *)cert))
-#endif /* defined(OPENSSL_1_1_API) */
/** Return a newly allocated X509 name with commonName <b>cname</b>. */
static X509_NAME *
cert_key = X509_get_pubkey(cert->cert);
if (check_rsa_1024 && cert_key) {
RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
-#ifdef OPENSSL_1_1_API
if (rsa && RSA_bits(rsa) == 1024) {
-#else
- if (rsa && BN_num_bits(rsa->n) == 1024) {
-#endif
key_ok = 1;
} else {
log_fn(severity, LD_CRYPTO, "Invalid certificate: Key is not RSA1024.");
dh4 = crypto_dh_new_openssl_tls();
tt_assert(DH_generate_key(dh4));
const BIGNUM *pk=NULL;
-#ifdef OPENSSL_1_1_API
const BIGNUM *sk=NULL;
DH_get0_key(dh4, &pk, &sk);
-#else
- pk = dh4->pub_key;
-#endif /* defined(OPENSSL_1_1_API) */
tt_assert(pk);
tt_int_op(BN_num_bytes(pk), OP_LE, DH1024_KEY_LEN);
tt_int_op(BN_num_bytes(pk), OP_GT, 0);
;
}
-#ifndef OPENSSL_1_1_API
-#define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX))
-#define EVP_ENCODE_CTX_free(ctx) tor_free(ctx)
-#endif
-
/** Encode src into dest with OpenSSL's EVP Encode interface, returning the
* length of the encoded data in bytes.
*/
static void
library_init(void)
{
-#ifdef OPENSSL_1_1_API
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
-#else
- SSL_library_init();
- SSL_load_error_strings();
-#endif /* defined(OPENSSL_1_1_API) */
}
static void
LOG_WARN, 0, NULL);
expect_log_severity(LOG_INFO);
-#ifndef OPENSSL_1_1_API
- mock_clean_saved_logs();
- tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_RECORD_TOO_LARGE),
- LOG_WARN, 0, NULL);
- expect_log_severity(LOG_INFO);
-#endif /* !defined(OPENSSL_1_1_API) */
-
mock_clean_saved_logs();
tor_tls_log_one_error(tls, ERR_PACK(1, 2, SSL_R_UNKNOWN_PROTOCOL),
LOG_WARN, 0, NULL);
tor_tls_block_renegotiation(tls);
-#ifndef OPENSSL_1_1_API
- tt_assert(!(tls->ssl->s3->flags &
- SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
-#endif
-
done:
tor_free(tls->ssl->s3);
tor_free(tls->ssl);
projects / thirdparty / tor.git / commitdiff
