From: Nick Mathewson <nickm@torproject.org>
Date: Sun, 27 Apr 2025 14:51:12 +0000 (-0400)
Subject: Remove code based on OPENSSL_VERSION_NUMBER
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e0886da99cb5326bcc66631e4463737c775a478;p=thirdparty%2Ftor.git

Remove code based on OPENSSL_VERSION_NUMBER

(Except for some code in aes_openssl.c, which has potential to conflict
with CGO-related branches.)
---

diff --git a/src/lib/crypt_ops/aes_openssl.c b/src/lib/crypt_ops/aes_openssl.c
index bc59d9dc3c..add18bccdd 100644
--- a/src/lib/crypt_ops/aes_openssl.c
+++ b/src/lib/crypt_ops/aes_openssl.c
@@ -24,10 +24,6 @@
 #include <openssl/opensslv.h>
 #include "lib/crypt_ops/crypto_openssl_mgt.h"
 
-#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
-#error "We require OpenSSL >= 1.0.0"
-#endif
-
 DISABLE_GCC_WARNING("-Wredundant-decls")
 
 #include <stdlib.h>
diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.c b/src/lib/crypt_ops/crypto_openssl_mgt.c
index 2bb2447836..1726e92489 100644
--- a/src/lib/crypt_ops/crypto_openssl_mgt.c
+++ b/src/lib/crypt_ops/crypto_openssl_mgt.c
@@ -95,12 +95,7 @@ static char *crypto_openssl_version_str = NULL;
 const char *
 crypto_openssl_get_version_str(void)
 {
-#ifdef OPENSSL_VERSION
   const int query = OPENSSL_VERSION;
-#else
-  /* This old name was changed around OpenSSL 1.1.0 */
-  const int query = SSLEAY_VERSION;
-#endif /* defined(OPENSSL_VERSION) */
 
   if (crypto_openssl_version_str == NULL) {
     const char *raw_version = OpenSSL_version(query);
@@ -109,8 +104,6 @@ crypto_openssl_get_version_str(void)
   return crypto_openssl_version_str;
 }
 
-#undef QUERY_OPENSSL_VERSION
-
 static char *crypto_openssl_header_version_str = NULL;
 /* Return a human-readable version of the compile-time openssl version
 * number. */
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
index aa8948bb28..8b238d7bda 100644
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@ -80,14 +80,6 @@ ENABLE_GCC_WARNING("-Wredundant-decls")
 
 #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")
 
-#if OPENSSL_VERSION_NUMBER <  OPENSSL_V(1,0,0,'f')
-/* This is a version of OpenSSL before 1.0.0f. It does not have
- * the CVE-2011-4576 fix, and as such it can't use RELEASE_BUFFERS and
- * SSL3 safely at the same time.
- */
-#define DISABLE_SSL3_HANDSHAKE
-#endif /* OPENSSL_VERSION_NUMBER <  OPENSSL_V(1,0,0,'f') */
-
 /** Set to true iff openssl bug 7712 has been detected. */
 static int openssl_bug_7712_is_present = 0;
 
@@ -571,12 +563,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
 #ifdef SSL_OP_NO_COMPRESSION
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_COMPRESSION);
 #endif
-#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
-#ifndef OPENSSL_NO_COMP
-  if (result->ctx->comp_methods)
-    result->ctx->comp_methods = NULL;
-#endif
-#endif /* OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0) */
 
 #ifdef SSL_MODE_RELEASE_BUFFERS
   SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
@@ -1041,18 +1027,9 @@ tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written)
    * save the original BIO for  tls->ssl in the tor_tls_t structure, but
    * that would be tempting fate. */
   wbio = SSL_get_wbio(tls->ssl);
-#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
-  /* BIO structure is opaque as of OpenSSL 1.1.0-pre5-dev.  Again, not
-   * supposed to use this form of the version macro, but the OpenSSL developers
-   * introduced major API changes in the pre-release stage.
-   */
   if (BIO_method_type(wbio) == BIO_TYPE_BUFFER &&
         (tmpbio = BIO_next(wbio)) != NULL)
     wbio = tmpbio;
-#else /* !(OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)) */
-  if (wbio->method == BIO_f_buffer() && (tmpbio = BIO_next(wbio)) != NULL)
-    wbio = tmpbio;
-#endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) */
   w = (unsigned long) BIO_number_written(wbio);
 
   /* We are ok with letting these unsigned ints go "negative" here:
@@ -1163,7 +1140,6 @@ tor_tls_get_buffer_sizes(tor_tls_t *tls,
                          size_t *rbuf_capacity, size_t *rbuf_bytes,
                          size_t *wbuf_capacity, size_t *wbuf_bytes)
 {
-#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
   (void)tls;
   (void)rbuf_capacity;
   (void)rbuf_bytes;
@@ -1171,19 +1147,6 @@ tor_tls_get_buffer_sizes(tor_tls_t *tls,
   (void)wbuf_bytes;
 
   return -1;
-#else /* !(OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)) */
-  if (tls->ssl->s3->rbuf.buf)
-    *rbuf_capacity = tls->ssl->s3->rbuf.len;
-  else
-    *rbuf_capacity = 0;
-  if (tls->ssl->s3->wbuf.buf)
-    *wbuf_capacity = tls->ssl->s3->wbuf.len;
-  else
-    *wbuf_capacity = 0;
-  *rbuf_bytes = tls->ssl->s3->rbuf.left;
-  *wbuf_bytes = tls->ssl->s3->wbuf.left;
-  return 0;
-#endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) */
 }
 
 /** Check whether the ECC group requested is supported by the current OpenSSL
diff --git a/src/test/test_tortls_openssl.c b/src/test/test_tortls_openssl.c
index 57012f611d..b4b19c31e8 100644
--- a/src/test/test_tortls_openssl.c
+++ b/src/test/test_tortls_openssl.c
@@ -713,23 +713,7 @@ test_tortls_get_buffer_sizes(void *ignored)
   tls->ssl->s3->wbuf.left = 43;
 
   ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
-#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
   tt_int_op(ret, OP_EQ, -1);
-#else
-  tt_int_op(ret, OP_EQ, 0);
-  tt_int_op(rbuf_c, OP_EQ, 0);
-  tt_int_op(wbuf_c, OP_EQ, 0);
-  tt_int_op(rbuf_b, OP_EQ, 42);
-  tt_int_op(wbuf_b, OP_EQ, 43);
-
-  tls->ssl->s3->rbuf.buf = tor_malloc_zero(1);
-  tls->ssl->s3->wbuf.buf = tor_malloc_zero(1);
-  ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
-  tt_int_op(ret, OP_EQ, 0);
-  tt_int_op(rbuf_c, OP_EQ, 1);
-  tt_int_op(wbuf_c, OP_EQ, 2);
-
-#endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) */
 
  done:
   tor_free(tls->ssl->s3->rbuf.buf);