ITS#9323 - Limit to OpenSSL 1.0.2 or later

diff --git a/build/openldap.m4 b/build/openldap.m4
index 048abbcd7b0b9deb53eaad84e850b0ab799e00bb..2419683b3d72640c8d267745328d74307aeb6b4f 100644 (file)
--- a/build/openldap.m4
+++ b/build/openldap.m4
@@ -806,19 +806,3 @@ AC_DEFUN([OL_SASL_COMPAT],
 #endif
        ],      [ol_cv_sasl_compat=yes], [ol_cv_sasl_compat=no])])
 ])
-dnl ====================================================================
-dnl check for SSL compatibility
-AC_DEFUN([OL_SSL_COMPAT],
-[AC_CACHE_CHECK([OpenSSL library version (CRL checking capability)],
-       [ol_cv_ssl_crl_compat],[
-               AC_EGREP_CPP(__ssl_compat,[
-#ifdef HAVE_OPENSSL_SSL_H
-#include <openssl/ssl.h>
-#endif
-
-/* Require 0.9.7d+ */
-#if OPENSSL_VERSION_NUMBER >= 0x0090704fL
-       char *__ssl_compat = "0.9.7d";
-#endif
-       ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
-])

diff --git a/configure.in b/configure.in
index 5d15f7d48ff2c7365c4064b71e1ee4cda3c40559..d933f50e2851e805117785cbbb948028b5e50264 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1163,6 +1163,13 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
        AC_CHECK_HEADERS(openssl/ssl.h)
 
        if test $ac_cv_header_openssl_ssl_h = yes ; then
+                       AC_PREPROC_IFELSE([AC_LANG_SOURCE(
+                               [[#include <openssl/opensslv.h>]
+[#if OPENSSL_VERSION_NUMBER < 0x1000200fL]
+[#error "OpenSSL is too old"]
+[#endif]])],
+                                       , [AC_MSG_FAILURE([OpenSSL 1.0.2a or newer required])])
+
                AC_CHECK_LIB(ssl, SSL_CTX_set_msg_callback,
                        [have_openssl=yes
                        need_rsaref=no], [have_openssl=no],
@@ -1191,12 +1198,6 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
                        else
                                TLS_LIBS="-lssl -lcrypto"
                        fi
-
-                       OL_SSL_COMPAT
-                       if test $ol_cv_ssl_crl_compat = yes ; then
-                               AC_DEFINE(HAVE_OPENSSL_CRL, 1, 
-                                       [define if you have OpenSSL with CRL checking capability])
-                       fi
                fi
        fi
 fi

diff --git a/include/portable.hin b/include/portable.hin
index 7a419ca7e72ea58a6c88739ef421ebe61a033ed8..19d4442d4e9688a3f14afe1badcc6adeaf5de6f5 100644 (file)
--- a/include/portable.hin
+++ b/include/portable.hin
@@ -373,9 +373,6 @@
 /* Define to 1 if you have the <openssl/bn.h> header file. */
 #undef HAVE_OPENSSL_BN_H
 
-/* define if you have OpenSSL with CRL checking capability */
-#undef HAVE_OPENSSL_CRL
-
 /* Define to 1 if you have the <openssl/crypto.h> header file. */
 #undef HAVE_OPENSSL_CRYPTO_H
 

diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index ebf91a5774f2b5d0d75e115889b708dc599d6fa6..05a81c554bd8c7f1e8b6e3c4d0fb9fcdf761aa3f 100644 (file)
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -126,7 +126,7 @@ static const struct ol_attribute {
        {0, ATTR_TLS,   "TLS_PEERKEY_HASH",     NULL,   LDAP_OPT_X_TLS_PEERKEY_HASH},
        {0, ATTR_TLS,   "TLS_ECNAME",           NULL,   LDAP_OPT_X_TLS_ECNAME},
 
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
        {0, ATTR_TLS,   "TLS_CRLCHECK",         NULL,   LDAP_OPT_X_TLS_CRLCHECK},
 #endif
 #ifdef HAVE_GNUTLS

diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 2d069af67de84f0664ae3fde420526ddc91a1ffa..cf6eae66fa7b1d525c5056edaae076af4d93aab2 100644 (file)
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -629,7 +629,7 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg )
                }
                return ldap_pvt_tls_set_option( ld, option, &i );
                }
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
        case LDAP_OPT_X_TLS_CRLCHECK:   /* OpenSSL only */
                i = -1;
                if ( strcasecmp( arg, "none" ) == 0 ) {
@@ -719,7 +719,7 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
        case LDAP_OPT_X_TLS_REQUIRE_SAN:
                *(int *)arg = lo->ldo_tls_require_san;
                break;
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
        case LDAP_OPT_X_TLS_CRLCHECK:   /* OpenSSL only */
                *(int *)arg = lo->ldo_tls_crlcheck;
                break;
@@ -937,7 +937,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
                        return 0;
                }
                return -1;
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
        case LDAP_OPT_X_TLS_CRLCHECK:   /* OpenSSL only */
                if ( !arg ) return -1;
                switch( *(int *) arg ) {

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 2d6bc9c9eb2de64d2b0abc2e5bd9eeeb8985ac4e..89ef4a25d3bd2a5a81c15c64faf1756d48dd0326 100644 (file)
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -46,8 +46,6 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/dh.h>
-#elif defined( HAVE_SSL_H )
-#include <ssl.h>
 #endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
@@ -244,11 +242,7 @@ tlso_destroy( void )
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000
        EVP_cleanup();
-#if OPENSSL_VERSION_NUMBER < 0x10000000
-       ERR_remove_state(0);
-#else
        ERR_remove_thread_state(NULL);
-#endif
        ERR_free_strings();
 #endif
 
@@ -498,7 +492,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 #if OPENSSL_VERSION_NUMBER < 0x10100000
        SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
 #endif
-#ifdef HAVE_OPENSSL_CRL
        if ( lo->ldo_tls_crlcheck ) {
                X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
                if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
@@ -508,7 +501,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
                                        X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL  );
                }
        }
-#endif
        return 0;
 }
 
@@ -904,7 +896,6 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
 static int
 tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
 {
-#if OPENSSL_VERSION_NUMBER >= 0x00908000
        tlso_session *s = (tlso_session *)sess;
        const EVP_MD *md;
        unsigned int md_len;
@@ -944,9 +935,6 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
        buf->bv_len = md_len;
 
        return md_len;
-#else
-       return 0;
-#endif
 }
 
 static const char *
@@ -1470,7 +1458,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
        RSA *tmp_rsa;
        /* FIXME:  Pregenerate the key on startup */
        /* FIXME:  Who frees the key? */
-#if OPENSSL_VERSION_NUMBER >= 0x00908000
        BIGNUM *bn = BN_new();
        tmp_rsa = NULL;
        if ( bn ) {
@@ -1483,9 +1470,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
                }
                BN_free( bn );
        }
-#else
-       tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
-#endif
 
        if ( !tmp_rsa ) {
                Debug2( LDAP_DEBUG_ANY,

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index c8bcdbadd287ba78ddc7c1eaa1a92d7ee856bce1..fc9e783f20ff8d80d4ec3df24604d293e2138e8a 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -812,7 +812,7 @@ static ConfigTable config_back_cf_table[] = {
                        "EQUALITY caseExactMatch "
                        "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
        { "TLSCRLCheck", NULL, 2, 2, 0,
-#if defined(HAVE_TLS) && defined(HAVE_OPENSSL_CRL)
+#if defined(HAVE_TLS) && defined(HAVE_OPENSSL)
                CFG_TLS_CRLCHECK|ARG_STRING|ARG_MAGIC, &config_tls_config,
 #else
                ARG_IGNORED, NULL,

diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 2248a9a3e1a2435be4751a88b40977d571900123..7fe76e85be55be83becd5da5464520aed5c279a8 100644 (file)
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1492,7 +1492,7 @@ static slap_cf_aux_table bindkey[] = {
        { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
        { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
        { BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL },
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
        { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
 #endif
 #endif
@@ -1873,7 +1873,7 @@ void bindconf_free( slap_bindconf *bc ) {
                ch_free( bc->sb_tls_ecname );
                bc->sb_tls_ecname = NULL;
        }
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
        if ( bc->sb_tls_crlcheck ) {
                ch_free( bc->sb_tls_crlcheck );
                bc->sb_tls_crlcheck = NULL;
@@ -1913,7 +1913,7 @@ bindconf_tls_defaults( slap_bindconf *bc )
                if ( !bc->sb_tls_ecname )
                        slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME,
                                &bc->sb_tls_ecname );
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
                if ( !bc->sb_tls_crlcheck )
                        slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
                                &bc->sb_tls_crlcheck );
@@ -1986,7 +1986,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
                        res = -1;
                }
        }
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
        if ( bc->sb_tls_crlcheck ) {
                rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
                        bc->sb_tls_crlcheck );

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 3f5180b3012635540306ec44ddbbacb507f1de3a..856fee7b2bf2ad39b60e0141a86d32cb34a03867 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1655,7 +1655,7 @@ typedef struct slap_bindconf {
        char *sb_tls_cipher_suite;
        char *sb_tls_protocol_min;
        char *sb_tls_ecname;
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
        char *sb_tls_crlcheck;
 #endif
        int sb_tls_do_init;