From: David Sommerseth Date: Tue, 11 Apr 2017 17:31:33 +0000 (+0200) Subject: Require minimum OpenSSL 1.0.1 X-Git-Tag: v2.5_beta1~712 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=039a89c331e9b799;p=thirdparty%2Fopenvpn.git Require minimum OpenSSL 1.0.1 As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8. This also makes it possible to remove a few workaronds which was needed earlier, as well as some left overs from v0.9.6. This also makes ./configure really stop running unless a new enough OpenSSL library is found. Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping openssl-1.0.1e. Signed-off-by: David Sommerseth Acked-by: Steffan Karger Message-Id: <20170411173133.18060-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14441.html Signed-off-by: David Sommerseth --- diff --git a/configure.ac b/configure.ac index 2406ad8d6..acea060b1 100644 --- a/configure.ac +++ b/configure.ac @@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then # if the user did not explicitly specify flags, try to autodetect PKG_CHECK_MODULES( [OPENSSL], - [libcrypto >= 0.9.8, libssl >= 0.9.8], - [have_openssl="yes"], - [have_openssl="no"] # Provide if-not-found to prevent erroring out + [libcrypto >= 1.0.1, libssl >= 1.0.1], + [have_openssl="yes"], + [AC_MSG_ERROR([Minimum supported OpenSSL version is 1.0.1])] ) OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto} diff --git a/doc/openvpn.8 b/doc/openvpn.8 index a9f5db7c7..c3248fde1 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback. Note that exporter labels have the potential to collide with existing PRF labels. In order to prevent this, labels MUST begin with "EXPORTER". -This option requires OpenSSL 1.0.1 or newer. .\"********************************************************* .SS Server Mode Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode diff --git a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c index 177977df3..a72b374a3 100644 --- a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c +++ b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c @@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509) { continue; } - /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ - unsigned char *buf = (unsigned char *)1; + unsigned char *buf = NULL; if (ASN1_STRING_to_UTF8(&buf, val) <= 0) { continue; diff --git a/sample/sample-plugins/log/log_v3.c b/sample/sample-plugins/log/log_v3.c index 9037225a2..d3014f37b 100644 --- a/sample/sample-plugins/log/log_v3.c +++ b/sample/sample-plugins/log/log_v3.c @@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt) X509_NAME *x509_name; X509_NAME_ENTRY *ent; const char *objbuf; - unsigned char *buf; + unsigned char *buf = NULL; x509_name = X509_get_subject_name(x509crt); n = X509_NAME_entry_count(x509_name); @@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt) { continue; } - buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ if (ASN1_STRING_to_UTF8(&buf, val) <= 0) { continue; diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index d7cc2ba44..645ccf512 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) sslopt |= SSL_OP_NO_TLSv1_2; } #endif -#ifdef SSL_OP_NO_COMPRESSION - /* Disable compression - flag not available in OpenSSL 0.9.8 */ sslopt |= SSL_OP_NO_COMPRESSION; -#endif SSL_CTX_set_options(ctx->ctx, sslopt); } diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index 6ca4cb6de..60a1f5e1e 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -32,17 +32,6 @@ #include -/** - * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption", - * as this is something we do not want nor need, but could potentially be - * used for a future attack. For compatibility reasons we keep building if the - * OpenSSL version is too old (pre-0.9.8f) to support stateless session - * resumption (and the accompanying SSL_OP_NO_TICKET flag). - */ -#ifndef SSL_OP_NO_TICKET -#define SSL_OP_NO_TICKET 0 -#endif - /** * Structure that wraps the TLS context. Contents differ depending on the * SSL library used. diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 5624daac5..54eadbdc8 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -458,8 +458,7 @@ x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int dep if (ent) { ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent); - unsigned char *buf; - buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ + unsigned char *buf = NULL; if (ASN1_STRING_to_UTF8(&buf, val) > 0) { do_setenv_x509(es, xt->name, (char *)buf, depth); @@ -514,7 +513,7 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) ASN1_STRING *val; X509_NAME_ENTRY *ent; const char *objbuf; - unsigned char *buf; + unsigned char *buf = NULL; char *name_expand; size_t name_expand_size; X509_NAME *x509 = X509_get_subject_name(peer_cert); @@ -547,7 +546,6 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) { continue; } - buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ if (ASN1_STRING_to_UTF8(&buf, val) <= 0) { continue;