From: Ondřej Surý Date: Mon, 1 Jul 2024 09:05:18 +0000 (+0200) Subject: Remove no longer needed OpenSSL shims and checks X-Git-Tag: alessio/regression/a26055f03e~6^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ccfbcfe728192e7988decebed979a2f40c84b4a;p=thirdparty%2Fbind9.git Remove no longer needed OpenSSL shims and checks Since the minimal OpenSSL version is now OpenSSL 1.1.1, remove all kind of OpenSSL shims and checks for functions that are now always present in the OpenSSL libraries. Co-authored-by: Ondřej Surý Co-authored-by: Aydın Mercan --- diff --git a/bin/named/main.c b/bin/named/main.c index e5a17b2f458..2bb5c1292dd 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -590,16 +590,8 @@ printversion(bool verbose) { printf("compiled by Solaris Studio %x\n", __SUNPRO_C); #endif /* ifdef __SUNPRO_C */ printf("compiled with OpenSSL version: %s\n", OPENSSL_VERSION_TEXT); -#if !defined(LIBRESSL_VERSION_NUMBER) && \ - OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */ printf("linked to OpenSSL version: %s\n", OpenSSL_version(OPENSSL_VERSION)); - -#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \ - * 0x10100000L */ - printf("linked to OpenSSL version: %s\n", - SSLeay_version(SSLEAY_VERSION)); -#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR, UV_VERSION_MINOR, UV_VERSION_PATCH); printf("linked to libuv version: %s\n", uv_version_string()); diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index ad7e2fbb477..474507156d7 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -89,7 +89,7 @@ for good in good-*.conf; do good-proxy-*doh*.conf) continue ;; bad-proxy-*doh*.conf) continue ;; esac - elif ! $FEATURETEST --have-openssl-cipher-suites; then + else case $good in good-tls-cipher-suites-*.conf) continue ;; esac diff --git a/bin/tests/system/cipher-suites/prereq.sh b/bin/tests/system/cipher-suites/prereq.sh deleted file mode 100644 index 910359535ce..00000000000 --- a/bin/tests/system/cipher-suites/prereq.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ../conf.sh - -$FEATURETEST --have-openssl-cipher-suites || { - echo_i "SSL_CTX_set_ciphersuites() is required for the test." - exit 255 -} - -exit 0 diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c index 66731c513df..5b3c504d626 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -49,7 +49,6 @@ usage(void) { fprintf(stderr, "\t--have-geoip2\n"); fprintf(stderr, "\t--have-json-c\n"); fprintf(stderr, "\t--have-libxml2\n"); - fprintf(stderr, "\t--have-openssl-cipher-suites\n"); fprintf(stderr, "\t--ipv6only=no\n"); fprintf(stderr, "\t--md5\n"); fprintf(stderr, "\t--rsasha1\n"); @@ -185,14 +184,6 @@ main(int argc, char **argv) { #endif /* ifdef HAVE_LIBXML2 */ } - if (strcmp(argv[1], "--have-openssl-cipher-suites") == 0) { -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES - return (0); -#else /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */ - return (1); -#endif /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */ - } - if (strcmp(argv[1], "--tsan") == 0) { #if defined(__has_feature) #if __has_feature(thread_sanitizer) diff --git a/configure.ac b/configure.ac index f764eb15490..856920226b8 100644 --- a/configure.ac +++ b/configure.ac @@ -664,53 +664,6 @@ LIBS="$OPENSSL_LIBS $LIBS" # # Check for functions added in OpenSSL or LibreSSL # - -AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex]) -AC_CHECK_FUNCS([BN_GENCB_new]) -AC_CHECK_FUNCS([CRYPTO_zalloc]) -AC_CHECK_FUNCS([ERR_get_error_all]) -AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free]) -AC_CHECK_FUNCS([EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset EVP_MD_CTX_get0_md]) -AC_CHECK_FUNCS([EVP_PKEY_new_raw_private_key EVP_PKEY_eq]) -AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup]) -AC_CHECK_FUNCS([SSL_CTX_set_keylog_callback]) -AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version]) -AC_CHECK_FUNCS([SSL_CTX_up_ref]) -AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex]) -AC_CHECK_FUNCS([SSL_CTX_set1_cert_store X509_STORE_up_ref]) -AC_CHECK_FUNCS([SSL_CTX_up_ref]) -AC_CHECK_FUNCS([SSL_SESSION_is_resumable]) -AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites]) - -# -# Check for algorithm support in OpenSSL -# - -AC_CHECK_FUNCS([EVP_DigestSignInit EVP_DigestVerifyInit], [:], - [AC_MSG_FAILURE([EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL is mandatory.])]) - -AC_MSG_CHECKING([for ECDSA P-256 support]) -AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM([[#include ]], - [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_X9_62_prime256v1, NULL);]])], - [AC_MSG_RESULT([yes])], - [AC_MSG_FAILURE([not found. ECDSA P-256 support in OpenSSL is mandatory.])]) - -AC_MSG_CHECKING([for ECDSA P-384 support]) -AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM([[#include ]], - [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_secp384r1, NULL);]])], - [AC_MSG_RESULT([yes])], - [AC_MSG_FAILURE([not found. ECDSA P-384 support in OpenSSL is mandatory.])]) - -AC_MSG_CHECKING([for Ed25519 support]) -AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM([[#include ]], - [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);]])], - [AC_DEFINE([HAVE_OPENSSL_ED25519], [1], [define if OpenSSL supports Ed25519]) - AC_MSG_RESULT([yes])], - [AC_MSG_RESULT([no])]) - AC_MSG_CHECKING([for Ed448 support]) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM([[#include ]], @@ -719,25 +672,11 @@ AC_COMPILE_IFELSE( AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no])]) -# -# Check for OpenSSL SHA-1 support -# -AC_CHECK_FUNCS([EVP_sha1], [:], - [AC_MSG_FAILURE([SHA-1 support in OpenSSL is mandatory.])]) - -# -# Check for OpenSSL SHA-2 support -# -AC_CHECK_FUNCS([EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [:], - [AC_MSG_FAILURE([SHA-2 support in OpenSSL is mandatory.])]) - -# -# Check for OpenSSL 1.1.x/LibreSSL functions -# -AC_CHECK_FUNCS([ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY]) -AC_CHECK_FUNCS([RSA_set0_key EVP_PKEY_get0_RSA]) - -AC_CHECK_FUNCS([TLS_server_method TLS_client_method]) +AC_CHECK_FUNCS([ERR_get_error_all]) +AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex]) +AC_CHECK_FUNCS([EVP_MD_CTX_get0_md]) +AC_CHECK_FUNCS([EVP_PKEY_eq]) +AC_CHECK_FUNCS([SSL_CTX_set1_cert_store]) # # Check whether FIPS mode is available and whether we should enable it diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index ac35b4dab20..487bb84beea 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -217,14 +217,12 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { DST_ALG_RSASHA512)); RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); -#ifdef HAVE_OPENSSL_ED25519 RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519], DST_ALG_ED25519)); -#endif /* ifdef HAVE_OPENSSL_ED25519 */ #ifdef HAVE_OPENSSL_ED448 RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448], DST_ALG_ED448)); -#endif /* ifdef HAVE_OPENSSL_ED448 */ +#endif /* HAVE_OPENSSL_ED448 */ #if HAVE_GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index a78b710738b..cf902deaa61 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -214,10 +214,8 @@ isc_result_t dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); isc_result_t dst__opensslecdsa_init(struct dst_func **funcp); -#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 isc_result_t dst__openssleddsa_init(struct dst_func **funcp, unsigned char algorithm); -#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */ #if HAVE_GSSAPI isc_result_t dst__gssapi_init(struct dst_func **funcp); diff --git a/lib/dns/openssl_shim.c b/lib/dns/openssl_shim.c index 128ffd3eb19..1034713b8dd 100644 --- a/lib/dns/openssl_shim.c +++ b/lib/dns/openssl_shim.c @@ -15,137 +15,6 @@ #include -#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L -/* From OpenSSL 1.1.0 */ -int -RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { - /* - * If the fields n and e in r are NULL, the corresponding input - * parameters MUST be non-NULL for n and e. d may be - * left NULL (in case only the public key is used). - */ - if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) { - return (0); - } - - if (n != NULL) { - BN_free(r->n); - r->n = n; - } - if (e != NULL) { - BN_free(r->e); - r->e = e; - } - if (d != NULL) { - BN_clear_free(r->d); - r->d = d; - } - - return (1); -} - -int -RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) { - /* - * If the fields p and q in r are NULL, the corresponding input - * parameters MUST be non-NULL. - */ - if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) { - return (0); - } - - if (p != NULL) { - BN_clear_free(r->p); - r->p = p; - } - if (q != NULL) { - BN_clear_free(r->q); - r->q = q; - } - - return (1); -} - -int -RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) { - /* - * If the fields dmp1, dmq1 and iqmp in r are NULL, the - * corresponding input parameters MUST be non-NULL. - */ - if ((r->dmp1 == NULL && dmp1 == NULL) || - (r->dmq1 == NULL && dmq1 == NULL) || - (r->iqmp == NULL && iqmp == NULL)) - { - return (0); - } - - if (dmp1 != NULL) { - BN_clear_free(r->dmp1); - r->dmp1 = dmp1; - } - if (dmq1 != NULL) { - BN_clear_free(r->dmq1); - r->dmq1 = dmq1; - } - if (iqmp != NULL) { - BN_clear_free(r->iqmp); - r->iqmp = iqmp; - } - - return (1); -} - -void -RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, - const BIGNUM **d) { - SET_IF_NOT_NULL(n, r->n); - SET_IF_NOT_NULL(e, r->e); - SET_IF_NOT_NULL(d, r->d); -} - -void -RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) { - SET_IF_NOT_NULL(p, r->p); - SET_IF_NOT_NULL(q, r->q); -} - -void -RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, - const BIGNUM **iqmp) { - SET_IF_NOT_NULL(dmp1, r->dmp1); - SET_IF_NOT_NULL(dmq1, r->dmq1); - SET_IF_NOT_NULL(iqmp, r->iqmp); -} - -int -RSA_test_flags(const RSA *r, int flags) { - return (r->flags & flags); -} -#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */ - -#if !HAVE_ECDSA_SIG_GET0 -/* From OpenSSL 1.1 */ -void -ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) { - SET_IF_NOT_NULL(pr, sig->r); - SET_IF_NOT_NULL(ps, sig->s); -} - -int -ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { - if (r == NULL || s == NULL) { - return (0); - } - - BN_clear_free(sig->r); - BN_clear_free(sig->s); - sig->r = r; - sig->s = s; - - return (1); -} -#endif /* !HAVE_ECDSA_SIG_GET0 */ - #if !HAVE_ERR_GET_ERROR_ALL static const char err_empty_string = '\0'; diff --git a/lib/dns/openssl_shim.h b/lib/dns/openssl_shim.h index a0b87626db1..72d462d0bd5 100644 --- a/lib/dns/openssl_shim.h +++ b/lib/dns/openssl_shim.h @@ -28,74 +28,6 @@ #define RSA_MAX_PUBEXP_BITS 35 #endif /* ifndef RSA_MAX_PUBEXP_BITS */ -#if !HAVE_BN_GENCB_NEW -/* These are new in OpenSSL 1.1.0. */ -static inline BN_GENCB * -BN_GENCB_new(void) { - return (OPENSSL_malloc(sizeof(BN_GENCB))); -} - -static inline void -BN_GENCB_free(BN_GENCB *cb) { - if (cb == NULL) { - return; - } - OPENSSL_free(cb); -} - -static inline void * -BN_GENCB_get_arg(BN_GENCB *cb) { - return cb->arg; -} -#endif /* !HAVE_BN_GENCB_NEW */ - -#if !HAVE_EVP_PKEY_GET0_RSA && OPENSSL_VERSION_NUMBER < 0x10100000L -static inline const RSA * -EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) { - return (pkey->type == EVP_PKEY_RSA ? pkey->pkey.rsa : NULL); -} -#endif - -#if !HAVE_EVP_PKEY_GET0_EC_KEY && OPENSSL_VERSION_NUMBER < 0x10100000L -static inline const EC_KEY * -EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) { - return (pkey->type == EVP_PKEY_EC ? pkey->pkey.ec : NULL); -} -#endif - -#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L -int -RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); - -int -RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); - -int -RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); - -void -RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, - const BIGNUM **d); - -void -RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); - -void -RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, - const BIGNUM **iqmp); - -int -RSA_test_flags(const RSA *r, int flags); -#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */ - -#if !HAVE_ECDSA_SIG_GET0 -void -ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); - -int -ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); -#endif /* !HAVE_ECDSA_SIG_GET0 */ - #if !HAVE_ERR_GET_ERROR_ALL unsigned long ERR_get_error_all(const char **file, int *line, const char **func, diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index a807638387b..a299bd02274 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -13,8 +13,6 @@ /*! \file */ -#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 - #include #include @@ -41,11 +39,9 @@ goto err; \ } -#if HAVE_OPENSSL_ED25519 #ifndef NID_ED25519 #error "Ed25519 group is not known (NID_ED25519)" #endif /* ifndef NID_ED25519 */ -#endif /* HAVE_OPENSSL_ED25519 */ #if HAVE_OPENSSL_ED448 #ifndef NID_ED448 @@ -60,7 +56,6 @@ typedef struct eddsa_alginfo { static const eddsa_alginfo_t * openssleddsa_alg_info(unsigned int key_alg) { -#if HAVE_OPENSSL_ED25519 if (key_alg == DST_ALG_ED25519) { static const eddsa_alginfo_t ed25519_alginfo = { .pkey_type = EVP_PKEY_ED25519, @@ -70,7 +65,6 @@ openssleddsa_alg_info(unsigned int key_alg) { }; return &ed25519_alginfo; } -#endif /* HAVE_OPENSSL_ED25519 */ #if HAVE_OPENSSL_ED448 if (key_alg == DST_ALG_ED448) { static const eddsa_alginfo_t ed448_alginfo = { @@ -586,7 +580,6 @@ static unsigned char ed448_sig[] = "\xb4\xee\x3f\x0e\x2b\x35\xdd\x5a\x35\xfe\x35\x00"; #endif -#if HAVE_OPENSSL_ED25519 static unsigned char ed25519_pub[] = "\x66\x5c\x21\x59\xe3\xa0\x6e\xa3\x7d\x82\x7c\xf1\xe7\xa3\xdd\xaf\xd1" "\x6d\x92\x81\xfb\x09\x0c\x7c\xfe\x6d\xf8\x87\x24\x7e\x6e\x25"; @@ -595,7 +588,6 @@ static unsigned char ed25519_sig[] = "\x38\xa3\x9c\xa3\x42\x4d\xc8\x89\xff\x84\xea\x2c\xa8\x8b\xfa\x2f\xab" "\x75\x7c\x68\x95\xfd\xdf\x62\x60\x4e\x4d\x10\xf8\x3c\xae\xcf\x18\x93" "\x90\x05\xa4\x54\x38\x45\x2f\x81\x71\x1e\x0f\x46\x04"; -#endif static isc_result_t check_algorithm(unsigned char algorithm) { @@ -621,8 +613,7 @@ check_algorithm(unsigned char algorithm) { key_len = sizeof(ed448_pub) - 1; alginfo = openssleddsa_alg_info(algorithm); break; -#endif -#if HAVE_OPENSSL_ED25519 +#endif /* HAVE_OPENSSL_ED448 */ case DST_ALG_ED25519: sig = ed25519_sig; sig_len = sizeof(ed25519_sig) - 1; @@ -630,7 +621,6 @@ check_algorithm(unsigned char algorithm) { key_len = sizeof(ed25519_pub) - 1; alginfo = openssleddsa_alg_info(algorithm); break; -#endif default: DST_RET(ISC_R_NOTIMPLEMENTED); } @@ -673,5 +663,3 @@ dst__openssleddsa_init(dst_func_t **funcp, unsigned char algorithm) { } return (ISC_R_SUCCESS); } - -#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */ diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c index c39ba8c6827..08bc9c56a90 100644 --- a/lib/isc/openssl_shim.c +++ b/lib/isc/openssl_shim.c @@ -24,81 +24,6 @@ #include "openssl_shim.h" -#if !HAVE_CRYPTO_ZALLOC -void * -CRYPTO_zalloc(size_t num, const char *file, int line) { - void *ret = CRYPTO_malloc(num, file, line); - if (ret != NULL) { - memset(ret, 0, num); - } - return (ret); -} -#endif /* if !HAVE_CRYPTO_ZALLOC */ - -#if !HAVE_EVP_CIPHER_CTX_NEW -EVP_CIPHER_CTX * -EVP_CIPHER_CTX_new(void) { - EVP_CIPHER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); - return (ctx); -} -#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */ - -#if !HAVE_EVP_CIPHER_CTX_FREE -void -EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { - if (ctx != NULL) { - EVP_CIPHER_CTX_cleanup(ctx); - OPENSSL_free(ctx); - } -} -#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */ - -#if !HAVE_EVP_MD_CTX_RESET -int -EVP_MD_CTX_reset(EVP_MD_CTX *ctx) { - return (EVP_MD_CTX_cleanup(ctx)); -} -#endif /* if !HAVE_EVP_MD_CTX_RESET */ - -#if !HAVE_SSL_READ_EX -int -SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) { - int rv = SSL_read(ssl, buf, num); - if (rv > 0) { - *readbytes = rv; - rv = 1; - } - - return (rv); -} -#endif - -#if !HAVE_SSL_PEEK_EX -int -SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) { - int rv = SSL_peek(ssl, buf, num); - if (rv > 0) { - *readbytes = rv; - rv = 1; - } - - return (rv); -} -#endif - -#if !HAVE_SSL_WRITE_EX -int -SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written) { - int rv = SSL_write(ssl, buf, num); - if (rv > 0) { - *written = rv; - rv = 1; - } - - return (rv); -} -#endif - #if !HAVE_BIO_READ_EX int BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) { @@ -110,7 +35,7 @@ BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) { return (rv); } -#endif +#endif /* !HAVE_BIO_READ_EX */ #if !HAVE_BIO_WRITE_EX int @@ -123,76 +48,13 @@ BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written) { return (rv); } -#endif - -#if !HAVE_OPENSSL_INIT_CRYPTO -int -OPENSSL_init_crypto(uint64_t opts, const void *settings) { - (void)settings; - - if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) == 0) { - ERR_load_crypto_strings(); - } - - if ((opts & (OPENSSL_INIT_NO_ADD_ALL_CIPHERS | - OPENSSL_INIT_NO_ADD_ALL_CIPHERS)) == 0) - { - OpenSSL_add_all_algorithms(); - } else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) { - OpenSSL_add_all_digests(); - } else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) { - OpenSSL_add_all_ciphers(); - } - - return (1); -} -#endif - -#if !HAVE_OPENSSL_INIT_SSL -int -OPENSSL_init_ssl(uint64_t opts, const void *settings) { - OPENSSL_init_crypto(opts, settings); - - SSL_library_init(); - - if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS) == 0) { - SSL_load_error_strings(); - } - - return (1); -} -#endif - -#if !HAVE_OPENSSL_CLEANUP -void -OPENSSL_cleanup(void) { - return; -} -#endif - -#if !HAVE_X509_STORE_UP_REF - -int -X509_STORE_up_ref(X509_STORE *store) { - return (CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE) > 0); -} - -#endif /* !HAVE_OPENSSL_CLEANUP */ +#endif /* !HAVE_BIO_WRITE_EX */ #if !HAVE_SSL_CTX_SET1_CERT_STORE - void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) { (void)X509_STORE_up_ref(store); SSL_CTX_set_cert_store(ctx, store); } - #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */ - -#if !HAVE_SSL_CTX_UP_REF -int -SSL_CTX_up_ref(SSL_CTX *ctx) { - return (CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX) > 0); -} -#endif /* !HAVE_SSL_CTX_UP_REF */ diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h index b2916e20a90..f7f6f5ae568 100644 --- a/lib/isc/openssl_shim.h +++ b/lib/isc/openssl_shim.h @@ -20,118 +20,21 @@ #include #include -#if !HAVE_CRYPTO_ZALLOC -void * -CRYPTO_zalloc(size_t num, const char *file, int line); -#endif /* if !HAVE_CRYPTO_ZALLOC */ - -#if !defined(OPENSSL_zalloc) -#define OPENSSL_zalloc(num) CRYPTO_zalloc(num, __FILE__, __LINE__) -#endif - -#if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY -#define EVP_PKEY_new_raw_private_key(type, e, key, keylen) \ - EVP_PKEY_new_mac_key(type, e, key, (int)(keylen)) -#endif /* if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY */ - -#if !HAVE_EVP_CIPHER_CTX_NEW -EVP_CIPHER_CTX * -EVP_CIPHER_CTX_new(void); -#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */ - -#if !HAVE_EVP_CIPHER_CTX_FREE -void -EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx); -#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */ - -#if !HAVE_EVP_MD_CTX_NEW -#define EVP_MD_CTX_new EVP_MD_CTX_create -#endif /* if !HAVE_EVP_MD_CTX_NEW */ - -#if !HAVE_EVP_MD_CTX_FREE -#define EVP_MD_CTX_free EVP_MD_CTX_destroy -#endif /* if !HAVE_EVP_MD_CTX_FREE */ - -#if !HAVE_EVP_MD_CTX_RESET -int -EVP_MD_CTX_reset(EVP_MD_CTX *ctx); -#endif /* if !HAVE_EVP_MD_CTX_RESET */ - #if !HAVE_EVP_MD_CTX_GET0_MD #define EVP_MD_CTX_get0_md EVP_MD_CTX_md #endif /* if !HAVE_EVP_MD_CTX_GET0_MD */ -#if !HAVE_SSL_READ_EX -int -SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes); -#endif - -#if !HAVE_SSL_PEEK_EX -int -SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes); -#endif - -#if !HAVE_SSL_WRITE_EX -int -SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written); -#endif - #if !HAVE_BIO_READ_EX int BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes); -#endif +#endif /* !HAVE_BIO_READ_EX */ #if !HAVE_BIO_WRITE_EX int BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written); -#endif - -#if !HAVE_OPENSSL_INIT_CRYPTO - -#define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0x00000001L -#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0x00000002L -#define OPENSSL_INIT_ADD_ALL_CIPHERS 0x00000004L -#define OPENSSL_INIT_ADD_ALL_DIGESTS 0x00000008L -#define OPENSSL_INIT_NO_ADD_ALL_CIPHERS 0x00000010L -#define OPENSSL_INIT_NO_ADD_ALL_DIGESTS 0x00000020L - -int -OPENSSL_init_crypto(uint64_t opts, const void *settings); -#endif - -#if !HAVE_OPENSSL_INIT_SSL -#define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L -#define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L - -int -OPENSSL_init_ssl(uint64_t opts, const void *settings); - -#endif - -#if !HAVE_OPENSSL_CLEANUP -void -OPENSSL_cleanup(void); -#endif - -#if !HAVE_TLS_SERVER_METHOD -#define TLS_server_method SSLv23_server_method -#endif - -#if !HAVE_TLS_CLIENT_METHOD -#define TLS_client_method SSLv23_client_method -#endif - -#if !HAVE_X509_STORE_UP_REF -int -X509_STORE_up_ref(X509_STORE *v); -#endif /* !HAVE_OPENSSL_CLEANUP */ +#endif /* !HAVE_BIO_WRITE_EX */ #if !HAVE_SSL_CTX_SET1_CERT_STORE void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store); #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */ - -#if !HAVE_SSL_CTX_UP_REF -int -SSL_CTX_up_ref(SSL_CTX *store); -#endif /* !HAVE_SSL_CTX_UP_REF */ diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 281c09a92ea..504b221115e 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -56,27 +56,6 @@ static isc_mem_t *isc__tls_mctx = NULL; -#if OPENSSL_VERSION_NUMBER < 0x10100000L -static isc_mutex_t *locks = NULL; -static int nlocks; - -static void -isc__tls_lock_callback(int mode, int type, const char *file, int line) { - UNUSED(file); - UNUSED(line); - if ((mode & CRYPTO_LOCK) != 0) { - LOCK(&locks[type]); - } else { - UNLOCK(&locks[type]); - } -} - -static void -isc__tls_set_thread_id(CRYPTO_THREADID *id) { - CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self()); -} -#endif - #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L /* * This was crippled with LibreSSL, so just skip it: @@ -163,7 +142,6 @@ isc__tls_initialize(void) { #endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \ 0x30000000L */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG; #if defined(OPENSSL_INIT_NO_ATEXIT) @@ -175,28 +153,6 @@ isc__tls_initialize(void) { #endif RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1); -#else - nlocks = CRYPTO_num_locks(); - locks = isc_mem_cget(isc__tls_mctx, nlocks, sizeof(locks[0])); - isc_mutexblock_init(locks, nlocks); - CRYPTO_set_locking_callback(isc__tls_lock_callback); - CRYPTO_THREADID_set_callback(isc__tls_set_thread_id); - - CRYPTO_malloc_init(); - ERR_load_crypto_strings(); - SSL_load_error_strings(); - SSL_library_init(); - -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - ENGINE_load_builtin_engines(); -#endif - OpenSSL_add_all_algorithms(); - OPENSSL_load_builtin_modules(); - - CONF_modules_load_file(NULL, NULL, - CONF_MFLAGS_DEFAULT_SECTION | - CONF_MFLAGS_IGNORE_MISSING_FILE); -#endif /* Protect ourselves against unseeded PRNG */ if (RAND_status() != 1) { @@ -208,28 +164,7 @@ isc__tls_initialize(void) { void isc__tls_shutdown(void) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L OPENSSL_cleanup(); -#else - CONF_modules_unload(1); - OBJ_cleanup(); - EVP_cleanup(); -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - ENGINE_cleanup(); -#endif - CRYPTO_cleanup_all_ex_data(); - ERR_remove_thread_state(NULL); - RAND_cleanup(); - ERR_free_strings(); - - CRYPTO_set_locking_callback(NULL); - - if (locks != NULL) { - isc_mutexblock_destroy(locks, nlocks); - isc_mem_cput(isc__tls_mctx, locks, nlocks, sizeof(locks[0])); - locks = NULL; - } -#endif isc_mem_destroy(&isc__tls_mctx); } @@ -260,15 +195,12 @@ isc_tlsctx_attach(isc_tlsctx_t *src, isc_tlsctx_t **ptarget) { *ptarget = src; } -#if HAVE_SSL_CTX_SET_KEYLOG_CALLBACK /* * Callback invoked by the SSL library whenever a new TLS pre-master secret * needs to be logged. */ static void -sslkeylogfile_append(const SSL *ssl, const char *line) { - UNUSED(ssl); - +sslkeylogfile_append(const SSL *ssl ISC_ATTR_UNUSED, const char *line) { isc_log_write(isc_lctx, ISC_LOGCATEGORY_SSLKEYLOG, ISC_LOGMODULE_NETMGR, ISC_LOG_INFO, "%s", line); } @@ -284,9 +216,6 @@ sslkeylogfile_init(isc_tlsctx_t *ctx) { SSL_CTX_set_keylog_callback(ctx, sslkeylogfile_append); } } -#else /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */ -#define sslkeylogfile_init(ctx) -#endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */ isc_result_t isc_tlsctx_createclient(isc_tlsctx_t **ctxp) { @@ -308,12 +237,7 @@ isc_tlsctx_createclient(isc_tlsctx_t **ctxp) { SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS); -#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); -#else - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); -#endif sslkeylogfile_init(ctx); @@ -384,12 +308,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS); -#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); -#else - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); -#endif if (ephemeral) { const int group_nid = NID_X9_62_prime256v1; @@ -415,27 +334,10 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, } /* Use a named curve and uncompressed point conversion form. */ -#if HAVE_EVP_PKEY_GET0_EC_KEY EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey), OPENSSL_EC_NAMED_CURVE); EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey), POINT_CONVERSION_UNCOMPRESSED); -#else - EC_KEY_set_asn1_flag(pkey->pkey.ec, OPENSSL_EC_NAMED_CURVE); - EC_KEY_set_conv_form(pkey->pkey.ec, - POINT_CONVERSION_UNCOMPRESSED); -#endif /* HAVE_EVP_PKEY_GET0_EC_KEY */ - -#if defined(SSL_CTX_set_ecdh_auto) - /* - * Using this macro is required for older versions of OpenSSL to - * automatically enable ECDH support. - * - * On later versions this function is no longer needed and is - * deprecated. - */ - (void)SSL_CTX_set_ecdh_auto(ctx, 1); -#endif /* defined(SSL_CTX_set_ecdh_auto) */ /* Cleanup */ EC_KEY_free(eckey); @@ -494,20 +396,12 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, * Set the "not before" property 5 minutes into the past to * accommodate with some possible clock skew across systems. */ -#if OPENSSL_VERSION_NUMBER < 0x10101000L - X509_gmtime_adj(X509_get_notBefore(cert), -300); -#else X509_gmtime_adj(X509_getm_notBefore(cert), -300); -#endif /* * We set the vailidy for 10 years. */ -#if OPENSSL_VERSION_NUMBER < 0x10101000L - X509_gmtime_adj(X509_get_notAfter(cert), 3650 * 24 * 3600); -#else X509_gmtime_adj(X509_getm_notAfter(cert), 3650 * 24 * 3600); -#endif X509_set_pubkey(cert, pkey); @@ -784,7 +678,6 @@ isc_tlsctx_set_cipherlist(isc_tlsctx_t *ctx, const char *cipherlist) { bool isc_tls_cipher_suites_valid(const char *cipher_suites) { -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES isc_tlsctx_t *tmp_ctx = NULL; const SSL_METHOD *method = NULL; bool result; @@ -808,27 +701,15 @@ isc_tls_cipher_suites_valid(const char *cipher_suites) { isc_tlsctx_free(&tmp_ctx); return (result); -#else - UNUSED(cipher_suites); - - UNREACHABLE(); -#endif } void isc_tlsctx_set_cipher_suites(isc_tlsctx_t *ctx, const char *cipher_suites) { -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES REQUIRE(ctx != NULL); REQUIRE(cipher_suites != NULL); REQUIRE(*cipher_suites != '\0'); RUNTIME_CHECK(SSL_CTX_set_ciphersuites(ctx, cipher_suites) == 1); -#else - UNUSED(ctx); - UNUSED(cipher_suites); - - UNREACHABLE(); -#endif } void @@ -916,10 +797,8 @@ isc_tlsctx_enable_http2client_alpn(isc_tlsctx_t *ctx) { SSL_CTX_set_next_proto_select_cb(ctx, select_next_proto_cb, NULL); #endif /* !OPENSSL_NO_NEXTPROTONEG */ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)NGHTTP2_PROTO_ALPN, NGHTTP2_PROTO_ALPN_LEN); -#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */ } #ifndef OPENSSL_NO_NEXTPROTONEG @@ -935,7 +814,6 @@ next_proto_cb(isc_tls_t *ssl, const unsigned char **data, unsigned int *len, } #endif /* !OPENSSL_NO_NEXTPROTONEG */ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) { @@ -953,7 +831,6 @@ alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, return (SSL_TLSEXT_ERR_OK); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */ void isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) { @@ -962,9 +839,7 @@ isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) { #ifndef OPENSSL_NO_NEXTPROTONEG SSL_CTX_set_next_protos_advertised_cb(tls, next_proto_cb, NULL); #endif // OPENSSL_NO_NEXTPROTONEG -#if OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_CTX_set_alpn_select_cb(tls, alpn_select_proto_cb, NULL); -#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L } #endif /* HAVE_LIBNGHTTP2 */ @@ -978,11 +853,9 @@ isc_tls_get_selected_alpn(isc_tls_t *tls, const unsigned char **alpn, #ifndef OPENSSL_NO_NEXTPROTONEG SSL_get0_next_proto_negotiated(tls, alpn, alpnlen); #endif -#if OPENSSL_VERSION_NUMBER >= 0x10002000L if (*alpn == NULL) { SSL_get0_alpn_selected(tls, alpn, alpnlen); } -#endif } static bool @@ -1015,13 +888,10 @@ void isc_tlsctx_enable_dot_client_alpn(isc_tlsctx_t *ctx) { REQUIRE(ctx != NULL); -#if OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_CTX_set_alpn_protos(ctx, (const uint8_t *)DOT_PROTO_ALPN, DOT_PROTO_ALPN_LEN); -#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */ } -#if OPENSSL_VERSION_NUMBER >= 0x10002000L static int dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, @@ -1039,15 +909,12 @@ dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out, return (SSL_TLSEXT_ERR_OK); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */ void isc_tlsctx_enable_dot_server_alpn(isc_tlsctx_t *tls) { REQUIRE(tls != NULL); -#if OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_CTX_set_alpn_select_cb(tls, dot_alpn_select_proto_cb, NULL); -#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L } isc_result_t @@ -1608,33 +1475,6 @@ isc_tlsctx_client_session_cache_detach( isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache)); } -static bool -ssl_session_seems_resumable(const SSL_SESSION *sess) { -#ifdef HAVE_SSL_SESSION_IS_RESUMABLE - /* - * If SSL_SESSION_is_resumable() is available, let's use that. It - * is expected to be available on OpenSSL >= 1.1.1 and its modern - * siblings. - */ - return (SSL_SESSION_is_resumable(sess) != 0); -#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L) - /* - * Taking into consideration that OpenSSL 1.1.0 uses opaque - * pointers for SSL_SESSION, we cannot implement a replacement for - * SSL_SESSION_is_resumable() manually. Let's use a sensible - * approximation for that, then: if there is an associated session - * ticket or session ID, then, most likely, the session is - * resumable. - */ - unsigned int session_id_len = 0; - (void)SSL_SESSION_get_id(sess, &session_id_len); - return (SSL_SESSION_has_ticket(sess) || session_id_len > 0); -#else - return (!sess->not_resumable && - (sess->session_id_length > 0 || sess->tlsext_ticklen > 0)); -#endif -} - void isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache, char *remote_peer_name, isc_tls_t *tls) { @@ -1652,7 +1492,7 @@ isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache, if (sess == NULL) { ERR_clear_error(); return; - } else if (!ssl_session_seems_resumable(sess)) { + } else if (SSL_SESSION_is_resumable(sess) == 0) { SSL_SESSION_free(sess); return; } diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index a69c559f381..9daadc48a9d 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -4058,11 +4058,7 @@ static cfg_clausedef_t tls_clauses[] = { { "dhparam-file", &cfg_type_qstring, 0 }, { "protocols", &cfg_type_tlsprotos, 0 }, { "ciphers", &cfg_type_astring, 0 }, -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES { "cipher-suites", &cfg_type_astring, 0 }, -#else - { "cipher-suites", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED }, -#endif { "prefer-server-ciphers", &cfg_type_boolean, 0 }, { "session-tickets", &cfg_type_boolean, 0 }, { NULL, NULL, 0 }