From: Yu Watanabe Date: Sun, 17 Aug 2025 12:41:22 +0000 (+0900) Subject: Bump required minimum version of OpenSSL to 3.0.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=99d0a9fdb08d0291dcd06a279bf6e2597f651244;p=thirdparty%2Fsystemd.git Bump required minimum version of OpenSSL to 3.0.0 All major distributions have switched to OpenSSL version 3.x. Let's drop support of OpenSSL version 1.x. Note, OpenSSL 3.0 was released on 2021-09-07 (and will be EOL on 2026-09-07). See also #38608. --- diff --git a/README b/README index 84f2b3ae41f..4fcd1117771 100644 --- a/README +++ b/README @@ -243,7 +243,7 @@ REQUIREMENTS: libcurl >= 7.32.0 (optional) libidn2 or libidn (optional) gnutls >= 3.1.4 (optional) - openssl >= 1.1.0 (optional, required to support DNS-over-TLS) + openssl >= 3.0.0 (optional, required to support DNS-over-TLS) p11-kit >= 0.23.3 (optional) libfido2 (optional) tpm2-tss (optional) diff --git a/meson.build b/meson.build index bcf1ff2df59..3b179d64e09 100644 --- a/meson.build +++ b/meson.build @@ -1355,7 +1355,7 @@ libgnutls = dependency('gnutls', conf.set10('HAVE_GNUTLS', libgnutls.found()) libopenssl = dependency('openssl', - version : '>= 1.1.0', + version : '>= 3.0.0', required : get_option('openssl')) conf.set10('HAVE_OPENSSL', libopenssl.found()) diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 537370f0a9c..ced874e2ba9 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -17,7 +17,7 @@ #include "string-util.h" #include "time-util.h" -#if HAVE_OPENSSL && OPENSSL_VERSION_MAJOR >= 3 +#if HAVE_OPENSSL DISABLE_WARNING_DEPRECATED_DECLARATIONS; DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(RSA*, RSA_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL); diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c index 47c64fd7d4c..e564c2cb7b4 100644 --- a/src/shared/openssl-util.c +++ b/src/shared/openssl-util.c @@ -97,21 +97,12 @@ int openssl_digest_size(const char *digest_alg, size_t *ret_digest_size) { assert(digest_alg); assert(ret_digest_size); -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_(EVP_MD_freep) EVP_MD *md = EVP_MD_fetch(NULL, digest_alg, NULL); -#else - const EVP_MD *md = EVP_get_digestbyname(digest_alg); -#endif if (!md) return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Digest algorithm '%s' not supported.", digest_alg); - size_t digest_size; -#if OPENSSL_VERSION_MAJOR >= 3 - digest_size = EVP_MD_get_size(md); -#else - digest_size = EVP_MD_size(md); -#endif + size_t digest_size = EVP_MD_get_size(md); if (digest_size == 0) return log_openssl_errors("Failed to get Digest size"); @@ -136,11 +127,7 @@ int openssl_digest_many( assert(ret_digest); /* ret_digest_size is optional, as caller may already know the digest size */ -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_(EVP_MD_freep) EVP_MD *md = EVP_MD_fetch(NULL, digest_alg, NULL); -#else - const EVP_MD *md = EVP_get_digestbyname(digest_alg); -#endif if (!md) return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Digest algorithm '%s' not supported.", digest_alg); @@ -196,16 +183,11 @@ int openssl_hmac_many( assert(ret_digest); /* ret_digest_size is optional, as caller may already know the digest size */ -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_(EVP_MD_freep) EVP_MD *md = EVP_MD_fetch(NULL, digest_alg, NULL); -#else - const EVP_MD *md = EVP_get_digestbyname(digest_alg); -#endif if (!md) return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Digest algorithm '%s' not supported.", digest_alg); -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_(EVP_MAC_freep) EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); if (!mac) return log_openssl_errors("Failed to create new EVP_MAC"); @@ -227,29 +209,12 @@ int openssl_hmac_many( if (!EVP_MAC_init(ctx, key, key_size, params)) return log_openssl_errors("Failed to initialize EVP_MAC_CTX"); -#else - _cleanup_(HMAC_CTX_freep) HMAC_CTX *ctx = HMAC_CTX_new(); - if (!ctx) - return log_openssl_errors("Failed to create new HMAC_CTX"); - - if (!HMAC_Init_ex(ctx, key, key_size, md, NULL)) - return log_openssl_errors("Failed to initialize HMAC_CTX"); -#endif for (size_t i = 0; i < n_data; i++) -#if OPENSSL_VERSION_MAJOR >= 3 if (!EVP_MAC_update(ctx, data[i].iov_base, data[i].iov_len)) -#else - if (!HMAC_Update(ctx, data[i].iov_base, data[i].iov_len)) -#endif return log_openssl_errors("Failed to update HMAC"); - size_t digest_size; -#if OPENSSL_VERSION_MAJOR >= 3 - digest_size = EVP_MAC_CTX_get_mac_size(ctx); -#else - digest_size = HMAC_size(ctx); -#endif + size_t digest_size = EVP_MAC_CTX_get_mac_size(ctx); if (digest_size == 0) return log_openssl_errors("Failed to get HMAC digest size"); @@ -257,13 +222,8 @@ int openssl_hmac_many( if (!buf) return log_oom_debug(); -#if OPENSSL_VERSION_MAJOR >= 3 size_t size; if (!EVP_MAC_final(ctx, buf, &size, digest_size)) -#else - unsigned size; - if (!HMAC_Final(ctx, buf, &size)) -#endif return log_openssl_errors("Failed to finalize HMAC"); assert(size == digest_size); @@ -306,11 +266,7 @@ int openssl_cipher_many( if (asprintf(&cipher_alg, "%s-%zu-%s", alg, bits, mode) < 0) return log_oom_debug(); -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_(EVP_CIPHER_freep) EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, cipher_alg, NULL); -#else - const EVP_CIPHER *cipher = EVP_get_cipherbyname(cipher_alg); -#endif if (!cipher) return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Cipher algorithm '%s' not supported.", cipher_alg); @@ -391,7 +347,6 @@ int kdf_ss_derive( size_t derive_size, void **ret) { -#if OPENSSL_VERSION_MAJOR >= 3 assert(digest); assert(key); assert(derive_size > 0); @@ -437,9 +392,6 @@ int kdf_ss_derive( *ret = TAKE_PTR(buf); return 0; -#else - return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "KDF-SS requires OpenSSL >= 3."); -#endif } /* Perform Key-Based HMAC KDF. The mode must be "COUNTER" or "FEEDBACK". The parameter naming is from the @@ -461,7 +413,6 @@ int kdf_kb_hmac_derive( size_t derive_size, void **ret) { -#if OPENSSL_VERSION_MAJOR >= 3 assert(mode); assert(strcaseeq(mode, "COUNTER") || strcaseeq(mode, "FEEDBACK")); assert(digest); @@ -523,9 +474,6 @@ int kdf_kb_hmac_derive( *ret = TAKE_PTR(buf); return 0; -#else - return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "KDF-KB requires OpenSSL >= 3."); -#endif } int rsa_encrypt_bytes( @@ -583,11 +531,7 @@ int rsa_oaep_encrypt_bytes( assert(ret_encrypt_key); assert(ret_encrypt_key_size); -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_(EVP_MD_freep) EVP_MD *md = EVP_MD_fetch(NULL, digest_alg, NULL); -#else - const EVP_MD *md = EVP_get_digestbyname(digest_alg); -#endif if (!md) return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Digest algorithm '%s' not supported.", digest_alg); @@ -672,7 +616,6 @@ int rsa_pkey_from_n_e(const void *n, size_t n_size, const void *e, size_t e_size assert(e_size != 0); assert(ret); -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); if (!ctx) return log_openssl_errors("Failed to create new EVP_PKEY_CTX"); @@ -701,34 +644,6 @@ int rsa_pkey_from_n_e(const void *n, size_t n_size, const void *e, size_t e_size if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0) return log_openssl_errors("Failed to create RSA EVP_PKEY"); -#else - _cleanup_(BN_freep) BIGNUM *bn_n = BN_bin2bn(n, n_size, NULL); - if (!bn_n) - return log_openssl_errors("Failed to create BIGNUM for RSA n"); - - _cleanup_(BN_freep) BIGNUM *bn_e = BN_bin2bn(e, e_size, NULL); - if (!bn_e) - return log_openssl_errors("Failed to create BIGNUM for RSA e"); - - _cleanup_(RSA_freep) RSA *rsa_key = RSA_new(); - if (!rsa_key) - return log_openssl_errors("Failed to create new RSA"); - - if (!RSA_set0_key(rsa_key, bn_n, bn_e, NULL)) - return log_openssl_errors("Failed to set RSA n/e"); - /* rsa_key owns these now, don't free */ - TAKE_PTR(bn_n); - TAKE_PTR(bn_e); - - pkey = EVP_PKEY_new(); - if (!pkey) - return log_openssl_errors("Failed to create new EVP_PKEY"); - - if (!EVP_PKEY_assign_RSA(pkey, rsa_key)) - return log_openssl_errors("Failed to assign RSA key"); - /* pkey owns this now, don't free */ - TAKE_PTR(rsa_key); -#endif *ret = TAKE_PTR(pkey); @@ -749,7 +664,6 @@ int rsa_pkey_to_n_e( assert(ret_e); assert(ret_e_size); -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_(BN_freep) BIGNUM *bn_n = NULL; if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &bn_n)) return log_openssl_errors("Failed to get RSA n"); @@ -757,19 +671,6 @@ int rsa_pkey_to_n_e( _cleanup_(BN_freep) BIGNUM *bn_e = NULL; if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &bn_e)) return log_openssl_errors("Failed to get RSA e"); -#else - const RSA *rsa = EVP_PKEY_get0_RSA((EVP_PKEY*) pkey); - if (!rsa) - return log_openssl_errors("Failed to get RSA key from public key"); - - const BIGNUM *bn_n = RSA_get0_n(rsa); - if (!bn_n) - return log_openssl_errors("Failed to get RSA n"); - - const BIGNUM *bn_e = RSA_get0_e(rsa); - if (!bn_e) - return log_openssl_errors("Failed to get RSA e"); -#endif size_t n_size = BN_num_bytes(bn_n), e_size = BN_num_bytes(bn_e); _cleanup_free_ void *n = malloc(n_size), *e = malloc(e_size); @@ -823,7 +724,6 @@ int ecc_pkey_from_curve_x_y( if (!EC_POINT_set_affine_coordinates(group, point, bn_x, bn_y, NULL)) return log_openssl_errors("Failed to set ECC coordinates"); -#if OPENSSL_VERSION_MAJOR >= 3 if (EVP_PKEY_fromdata_init(ctx) <= 0) return log_openssl_errors("Failed to initialize EVP_PKEY_CTX"); @@ -850,26 +750,6 @@ int ecc_pkey_from_curve_x_y( _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL; if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0) return log_openssl_errors("Failed to create ECC EVP_PKEY"); -#else - _cleanup_(EC_KEY_freep) EC_KEY *eckey = EC_KEY_new(); - if (!eckey) - return log_openssl_errors("Failed to create new EC_KEY"); - - if (!EC_KEY_set_group(eckey, group)) - return log_openssl_errors("Failed to set ECC group"); - - if (!EC_KEY_set_public_key(eckey, point)) - return log_openssl_errors("Failed to set ECC point"); - - _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = EVP_PKEY_new(); - if (!pkey) - return log_openssl_errors("Failed to create new EVP_PKEY"); - - if (!EVP_PKEY_assign_EC_KEY(pkey, eckey)) - return log_openssl_errors("Failed to assign ECC key"); - /* pkey owns this now, don't free */ - TAKE_PTR(eckey); -#endif *ret = TAKE_PTR(pkey); return 0; @@ -888,7 +768,6 @@ int ecc_pkey_to_curve_x_y( assert(pkey); -#if OPENSSL_VERSION_MAJOR >= 3 size_t name_size; if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0, &name_size)) return log_openssl_errors("Failed to get ECC group name size"); @@ -909,31 +788,6 @@ int ecc_pkey_to_curve_x_y( if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_EC_PUB_Y, &bn_y)) return log_openssl_errors("Failed to get ECC point y"); -#else - const EC_KEY *eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY*) pkey); - if (!eckey) - return log_openssl_errors("Failed to get EC_KEY"); - - const EC_GROUP *group = EC_KEY_get0_group(eckey); - if (!group) - return log_openssl_errors("Failed to get EC_GROUP"); - - curve_id = EC_GROUP_get_curve_name(group); - if (curve_id == NID_undef) - return log_openssl_errors("Failed to get ECC curve id"); - - const EC_POINT *point = EC_KEY_get0_public_key(eckey); - if (!point) - return log_openssl_errors("Failed to get EC_POINT"); - - bn_x = BN_new(); - bn_y = BN_new(); - if (!bn_x || !bn_y) - return log_openssl_errors("Failed to create new BIGNUM"); - - if (!EC_POINT_get_affine_coordinates(group, point, bn_x, bn_y, NULL)) - return log_openssl_errors("Failed to get ECC x/y."); -#endif size_t x_size = BN_num_bytes(bn_x), y_size = BN_num_bytes(bn_y); _cleanup_free_ void *x = malloc(x_size), *y = malloc(y_size); @@ -1247,10 +1101,8 @@ static int ecc_pkey_generate_volume_keys( _cleanup_(erase_and_freep) void *decrypted_key = NULL; _cleanup_free_ unsigned char *saved_key = NULL; size_t decrypted_key_size, saved_key_size; - int nid = NID_undef; int r; -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_free_ char *curve_name = NULL; size_t len = 0; @@ -1265,19 +1117,7 @@ static int ecc_pkey_generate_volume_keys( if (EVP_PKEY_get_group_name(pkey, curve_name, len, &len) != 1) return log_openssl_errors("Failed to get PKEY group name"); - nid = OBJ_sn2nid(curve_name); -#else - EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey); - if (!ec_key) - return log_openssl_errors("PKEY doesn't have EC_KEY associated"); - - if (EC_KEY_check_key(ec_key) != 1) - return log_openssl_errors("EC_KEY associated with PKEY is not valid"); - - nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); -#endif - - r = ecc_pkey_new(nid, &pkey_new); + r = ecc_pkey_new(OBJ_sn2nid(curve_name), &pkey_new); if (r < 0) return log_debug_errno(r, "Failed to generate a new EC keypair: %m"); @@ -1285,38 +1125,11 @@ static int ecc_pkey_generate_volume_keys( if (r < 0) return log_debug_errno(r, "Failed to derive shared secret: %m"); -#if OPENSSL_VERSION_MAJOR >= 3 /* EVP_PKEY_get1_encoded_public_key() always returns uncompressed format of EC points. See https://github.com/openssl/openssl/discussions/22835 */ saved_key_size = EVP_PKEY_get1_encoded_public_key(pkey_new, &saved_key); if (saved_key_size == 0) return log_openssl_errors("Failed to convert the generated public key to SEC1 format"); -#else - EC_KEY *ec_key_new = EVP_PKEY_get0_EC_KEY(pkey_new); - if (!ec_key_new) - return log_openssl_errors("The generated key doesn't have associated EC_KEY"); - - if (EC_KEY_check_key(ec_key_new) != 1) - return log_openssl_errors("EC_KEY associated with the generated key is not valid"); - - saved_key_size = EC_POINT_point2oct(EC_KEY_get0_group(ec_key_new), - EC_KEY_get0_public_key(ec_key_new), - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, NULL); - if (saved_key_size == 0) - return log_openssl_errors("Failed to determine size of the generated public key"); - - saved_key = malloc(saved_key_size); - if (!saved_key) - return log_oom_debug(); - - saved_key_size = EC_POINT_point2oct(EC_KEY_get0_group(ec_key_new), - EC_KEY_get0_public_key(ec_key_new), - POINT_CONVERSION_UNCOMPRESSED, - saved_key, saved_key_size, NULL); - if (saved_key_size == 0) - return log_openssl_errors("Failed to convert the generated public key to SEC1 format"); -#endif *ret_decrypted_key = TAKE_PTR(decrypted_key); *ret_decrypted_key_size = decrypted_key_size; @@ -1375,11 +1188,7 @@ int pkey_generate_volume_keys( assert(ret_saved_key); assert(ret_saved_key_size); -#if OPENSSL_VERSION_MAJOR >= 3 int type = EVP_PKEY_get_base_id(pkey); -#else - int type = EVP_PKEY_base_id(pkey); -#endif switch (type) { case EVP_PKEY_RSA: @@ -1405,7 +1214,6 @@ static int load_key_from_provider( assert(private_key_uri); assert(ret); -#if OPENSSL_VERSION_MAJOR >= 3 /* Load the provider so that this can work without any custom written configuration in /etc/. * Also load the 'default' as that seems to be the recommendation. */ if (!OSSL_PROVIDER_try_load(/* ctx= */ NULL, provider, /* retain_fallbacks= */ true)) @@ -1436,9 +1244,6 @@ static int load_key_from_provider( *ret = TAKE_PTR(private_key); return 0; -#else - return -EOPNOTSUPP; -#endif } static int load_key_from_engine(const char *engine, const char *private_key_uri, EVP_PKEY **ret) { @@ -1609,7 +1414,6 @@ static int load_x509_certificate_from_provider(const char *provider, const char assert(certificate_uri); assert(ret); -#if OPENSSL_VERSION_MAJOR >= 3 /* Load the provider so that this can work without any custom written configuration in /etc/. * Also load the 'default' as that seems to be the recommendation. */ if (!OSSL_PROVIDER_try_load(/* ctx= */ NULL, provider, /* retain_fallbacks= */ true)) @@ -1640,9 +1444,6 @@ static int load_x509_certificate_from_provider(const char *provider, const char *ret = TAKE_PTR(cert); return 0; -#else - return -EOPNOTSUPP; -#endif } OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) { diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h index cb48ea8bfd3..218641e06fe 100644 --- a/src/shared/openssl-util.h +++ b/src/shared/openssl-util.h @@ -32,27 +32,21 @@ int parse_openssl_key_source_argument(const char *argument, char **private_key_s #if HAVE_OPENSSL # include /* IWYU pragma: export */ # include /* IWYU pragma: export */ +# include /* IWYU pragma: export */ # include /* IWYU pragma: export */ # include /* IWYU pragma: export */ # include /* IWYU pragma: export */ +# include /* IWYU pragma: export */ # include /* IWYU pragma: export */ +# include /* IWYU pragma: export */ # include /* IWYU pragma: export */ +# include /* IWYU pragma: export */ # include /* IWYU pragma: export */ +# include /* IWYU pragma: export */ # ifndef OPENSSL_NO_UI_CONSOLE # include /* IWYU pragma: export */ # endif # include /* IWYU pragma: export */ -# ifndef OPENSSL_VERSION_MAJOR -/* OPENSSL_VERSION_MAJOR macro was added in OpenSSL 3. Thus, if it doesn't exist, we must be before OpenSSL 3. */ -# define OPENSSL_VERSION_MAJOR 1 -# endif -# if OPENSSL_VERSION_MAJOR >= 3 -# include /* IWYU pragma: export */ -# include /* IWYU pragma: export */ -# include /* IWYU pragma: export */ -# include /* IWYU pragma: export */ -# include /* IWYU pragma: export */ -# endif DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_MACRO(void*, OPENSSL_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_OCTET_STRING*, ASN1_OCTET_STRING_free, NULL); @@ -64,10 +58,20 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BN_CTX*, BN_CTX_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_GROUP*, EC_GROUP_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_POINT*, EC_POINT_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ECDSA_SIG*, ECDSA_SIG_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER*, EVP_CIPHER_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_KDF*, EVP_KDF_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_KDF_CTX*, EVP_KDF_CTX_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MAC*, EVP_MAC_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MAC_CTX*, EVP_MAC_CTX_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD*, EVP_MD_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_PARAM*, OSSL_PARAM_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_PARAM_BLD*, OSSL_PARAM_BLD_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_STORE_CTX*, OSSL_STORE_close, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_STORE_INFO*, OSSL_STORE_INFO_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7_SIGNER_INFO*, PKCS7_SIGNER_INFO_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL); @@ -94,23 +98,6 @@ static inline STACK_OF(X509_ATTRIBUTE) *x509_attribute_free_many(STACK_OF(X509_A DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(STACK_OF(X509_ATTRIBUTE)*, x509_attribute_free_many, NULL); -#if OPENSSL_VERSION_MAJOR >= 3 -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER*, EVP_CIPHER_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_KDF*, EVP_KDF_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_KDF_CTX*, EVP_KDF_CTX_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MAC*, EVP_MAC_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MAC_CTX*, EVP_MAC_CTX_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD*, EVP_MD_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_PARAM*, OSSL_PARAM_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_PARAM_BLD*, OSSL_PARAM_BLD_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_STORE_CTX*, OSSL_STORE_close, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_STORE_INFO*, OSSL_STORE_INFO_free, NULL); -#else -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(HMAC_CTX*, HMAC_CTX_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(RSA*, RSA_free, NULL); -#endif - static inline void sk_X509_free_allp(STACK_OF(X509) **sk) { if (!sk || !*sk) return; diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c index 2111e4b966c..3062bcc5541 100644 --- a/src/shared/pkcs11-util.c +++ b/src/shared/pkcs11-util.c @@ -546,7 +546,6 @@ int pkcs11_token_read_public_key( if (!os) return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to decode CKA_EC_POINT."); -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); if (!ctx) return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to create an EVP_PKEY_CTX for EC."); @@ -642,31 +641,6 @@ int pkcs11_token_read_public_key( if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, ec_params) != 1) return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to create EVP_PKEY from EC parameters."); -#else - _cleanup_(EC_POINT_freep) EC_POINT *point = EC_POINT_new(group); - if (!point) - return log_oom_debug(); - - if (EC_POINT_oct2point(group, point, os->data, os->length, NULL) != 1) - return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to decode CKA_EC_POINT."); - - _cleanup_(EC_KEY_freep) EC_KEY *ec_key = EC_KEY_new(); - if (!ec_key) - return log_oom_debug(); - - if (EC_KEY_set_group(ec_key, group) != 1) - return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set group for EC_KEY."); - - if (EC_KEY_set_public_key(ec_key, point) != 1) - return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set public key for EC_KEY."); - - pkey = EVP_PKEY_new(); - if (!pkey) - return log_oom_debug(); - - if (EVP_PKEY_set1_EC_KEY(pkey, ec_key) != 1) - return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to assign EC_KEY to EVP_PKEY."); -#endif break; } default: diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index e089cfbc5ea..4ba83a47ae0 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -4354,7 +4354,7 @@ int tpm2_tpm2b_public_to_openssl_pkey(const TPM2B_PUBLIC *public, EVP_PKEY **ret * "name", because it would break unsealing of previously-sealed objects that used (for example) * tpm2_calculate_policy_authorize(). See bug #30546. */ int tpm2_tpm2b_public_from_openssl_pkey(const EVP_PKEY *pkey, TPM2B_PUBLIC *ret) { - int key_id, r; + int r; assert(pkey); assert(ret); @@ -4368,12 +4368,7 @@ int tpm2_tpm2b_public_from_openssl_pkey(const EVP_PKEY *pkey, TPM2B_PUBLIC *ret) }, }; -#if OPENSSL_VERSION_MAJOR >= 3 - key_id = EVP_PKEY_get_id(pkey); -#else - key_id = EVP_PKEY_id(pkey); -#endif - + int key_id = EVP_PKEY_get_id(pkey); switch (key_id) { case EVP_PKEY_EC: { public.type = TPM2_ALG_ECC; diff --git a/src/test/test-openssl.c b/src/test/test-openssl.c index d4c254e50ad..a09484a2ba8 100644 --- a/src/test/test-openssl.c +++ b/src/test/test-openssl.c @@ -103,15 +103,12 @@ static const struct { } digest_size_table[] = { /* SHA1 "family" */ { "sha1", 20, }, -#if OPENSSL_VERSION_MAJOR >= 3 { "sha-1", 20, }, -#endif /* SHA2 family */ { "sha224", 28, }, { "sha256", 32, }, { "sha384", 48, }, { "sha512", 64, }, -#if OPENSSL_VERSION_MAJOR >= 3 { "sha-224", 28, }, { "sha2-224", 28, }, { "sha-256", 32, }, @@ -120,7 +117,6 @@ static const struct { { "sha2-384", 48, }, { "sha-512", 64, }, { "sha2-512", 64, }, -#endif /* SHA3 family */ { "sha3-224", 28, }, { "sha3-256", 32, }, @@ -296,7 +292,6 @@ TEST(hmac_many) { } TEST(kdf_kb_hmac_derive) { -#if OPENSSL_VERSION_MAJOR >= 3 _cleanup_free_ void *derived_key = NULL; DEFINE_HEX_PTR(key, "d7ac57124f28371eacaec475b74869d26b4cd64586412a607ce0a9e0c63d468c"); @@ -306,12 +301,8 @@ TEST(kdf_kb_hmac_derive) { assert_se(kdf_kb_hmac_derive("COUNTER", "SHA256", key, key_len, salt, strlen(salt), info, info_len, /* seed= */ NULL, /* seed_size= */ 0, 64, &derived_key) >= 0); assert_se(memcmp_nn(derived_key, 64, expected_derived_key, expected_derived_key_len) == 0); -#else - log_tests_skipped("KDF-KB requires OpenSSL >= 3"); -#endif } -#if OPENSSL_VERSION_MAJOR >= 3 static void check_ss_derive(const char *hex_key, const char *hex_salt, const char *hex_info, const char *hex_expected) { DEFINE_HEX_PTR(key, hex_key); DEFINE_HEX_PTR(salt, hex_salt); @@ -322,10 +313,8 @@ static void check_ss_derive(const char *hex_key, const char *hex_salt, const cha assert_se(kdf_ss_derive("SHA256", key, key_len, salt, salt_len, info, info_len, expected_len, &derived_key) >= 0); assert_se(memcmp_nn(derived_key, expected_len, expected, expected_len) == 0); } -#endif TEST(kdf_ss_derive) { -#if OPENSSL_VERSION_MAJOR >= 3 check_ss_derive( "01166ad6b05d1fad8cdb50d1902170e9", "feea805789dc8d0b57da5d4d61886b1a", @@ -343,9 +332,6 @@ TEST(kdf_ss_derive) { "b75e3b65d1bb845dee581c7e14cfebc6e882946e90273b77ebe289faaf7de248", "ed25a0043d6c1eb28296da1f9ab138dafee18f4c937bfc43601d4ee6e7634199", "30EB1A1E9DEA7DE4DDB8F3FDF50A01E30581D606C1228D98AFF691DF743AC2EE9D99EFD2AE1946C079AA18C9524877FA65D5065F0DAED058AB3416AF80EB2B73"); -#else - log_tests_skipped("KDF-SS requires OpenSSL >= 3"); -#endif } static void check_cipher( diff --git a/src/test/test-tpm2.c b/src/test/test-tpm2.c index 94a92fd2c6e..a6164f2677d 100644 --- a/src/test/test-tpm2.c +++ b/src/test/test-tpm2.c @@ -1144,7 +1144,7 @@ static void check_get_or_create_srk(Tpm2Context *c) { assert_se(memcmp_nn(qname->name, qname->size, qname2->name, qname2->size) == 0); } -#if HAVE_OPENSSL && OPENSSL_VERSION_MAJOR >= 3 +#if HAVE_OPENSSL static void calculate_seal_and_unseal( Tpm2Context *c, TPM2_HANDLE parent_index, @@ -1228,7 +1228,7 @@ static int check_calculate_seal(Tpm2Context *c) { return 0; } -#endif /* HAVE_OPENSSL && OPENSSL_VERSION_MAJOR >= 3 */ +#endif /* HAVE_OPENSSL */ static void check_seal_unseal_for_handle(Tpm2Context *c, TPM2_HANDLE handle) { TPM2B_DIGEST policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE); @@ -1330,7 +1330,7 @@ TEST_RET(tests_which_require_tpm) { check_get_or_create_srk(c); check_seal_unseal(c); -#if HAVE_OPENSSL && OPENSSL_VERSION_MAJOR >= 3 /* calculating sealed object requires openssl >= 3 */ +#if HAVE_OPENSSL r = check_calculate_seal(c); #endif