From: Quanah Gibson-Mount Date: Tue, 25 Aug 2020 18:32:24 +0000 (+0000) Subject: ITS#9323 - Limit to OpenSSL 1.0.2 or later X-Git-Tag: OPENLDAP_REL_ENG_2_5_0ALPHA~16^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c1411b81992baf4119c02c91d7d1a2b1980a0ab0;p=thirdparty%2Fopenldap.git ITS#9323 - Limit to OpenSSL 1.0.2 or later --- diff --git a/build/openldap.m4 b/build/openldap.m4 index 048abbcd7b..2419683b3d 100644 --- a/build/openldap.m4 +++ b/build/openldap.m4 @@ -806,19 +806,3 @@ AC_DEFUN([OL_SASL_COMPAT], #endif ], [ol_cv_sasl_compat=yes], [ol_cv_sasl_compat=no])]) ]) -dnl ==================================================================== -dnl check for SSL compatibility -AC_DEFUN([OL_SSL_COMPAT], -[AC_CACHE_CHECK([OpenSSL library version (CRL checking capability)], - [ol_cv_ssl_crl_compat],[ - AC_EGREP_CPP(__ssl_compat,[ -#ifdef HAVE_OPENSSL_SSL_H -#include -#endif - -/* Require 0.9.7d+ */ -#if OPENSSL_VERSION_NUMBER >= 0x0090704fL - char *__ssl_compat = "0.9.7d"; -#endif - ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])]) -]) diff --git a/configure.in b/configure.in index 5d15f7d48f..d933f50e28 100644 --- a/configure.in +++ b/configure.in @@ -1163,6 +1163,13 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then AC_CHECK_HEADERS(openssl/ssl.h) if test $ac_cv_header_openssl_ssl_h = yes ; then + AC_PREPROC_IFELSE([AC_LANG_SOURCE( + [[#include ] +[#if OPENSSL_VERSION_NUMBER < 0x1000200fL] +[#error "OpenSSL is too old"] +[#endif]])], + , [AC_MSG_FAILURE([OpenSSL 1.0.2a or newer required])]) + AC_CHECK_LIB(ssl, SSL_CTX_set_msg_callback, [have_openssl=yes need_rsaref=no], [have_openssl=no], @@ -1191,12 +1198,6 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then else TLS_LIBS="-lssl -lcrypto" fi - - OL_SSL_COMPAT - if test $ol_cv_ssl_crl_compat = yes ; then - AC_DEFINE(HAVE_OPENSSL_CRL, 1, - [define if you have OpenSSL with CRL checking capability]) - fi fi fi fi diff --git a/include/portable.hin b/include/portable.hin index 7a419ca7e7..19d4442d4e 100644 --- a/include/portable.hin +++ b/include/portable.hin @@ -373,9 +373,6 @@ /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_BN_H -/* define if you have OpenSSL with CRL checking capability */ -#undef HAVE_OPENSSL_CRL - /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_CRYPTO_H diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c index ebf91a5774..05a81c554b 100644 --- a/libraries/libldap/init.c +++ b/libraries/libldap/init.c @@ -126,7 +126,7 @@ static const struct ol_attribute { {0, ATTR_TLS, "TLS_PEERKEY_HASH", NULL, LDAP_OPT_X_TLS_PEERKEY_HASH}, {0, ATTR_TLS, "TLS_ECNAME", NULL, LDAP_OPT_X_TLS_ECNAME}, -#ifdef HAVE_OPENSSL_CRL +#ifdef HAVE_OPENSSL {0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK}, #endif #ifdef HAVE_GNUTLS diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c index 2d069af67d..cf6eae66fa 100644 --- a/libraries/libldap/tls2.c +++ b/libraries/libldap/tls2.c @@ -629,7 +629,7 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg ) } return ldap_pvt_tls_set_option( ld, option, &i ); } -#ifdef HAVE_OPENSSL_CRL +#ifdef HAVE_OPENSSL case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ i = -1; if ( strcasecmp( arg, "none" ) == 0 ) { @@ -719,7 +719,7 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) case LDAP_OPT_X_TLS_REQUIRE_SAN: *(int *)arg = lo->ldo_tls_require_san; break; -#ifdef HAVE_OPENSSL_CRL +#ifdef HAVE_OPENSSL case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ *(int *)arg = lo->ldo_tls_crlcheck; break; @@ -937,7 +937,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) return 0; } return -1; -#ifdef HAVE_OPENSSL_CRL +#ifdef HAVE_OPENSSL case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ if ( !arg ) return -1; switch( *(int *) arg ) { diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index 2d6bc9c9eb..89ef4a25d3 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -46,8 +46,6 @@ #include #include #include -#elif defined( HAVE_SSL_H ) -#include #endif #if OPENSSL_VERSION_NUMBER >= 0x10100000 @@ -244,11 +242,7 @@ tlso_destroy( void ) #if OPENSSL_VERSION_NUMBER < 0x10100000 EVP_cleanup(); -#if OPENSSL_VERSION_NUMBER < 0x10000000 - ERR_remove_state(0); -#else ERR_remove_thread_state(NULL); -#endif ERR_free_strings(); #endif @@ -498,7 +492,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) #if OPENSSL_VERSION_NUMBER < 0x10100000 SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); #endif -#ifdef HAVE_OPENSSL_CRL if ( lo->ldo_tls_crlcheck ) { X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) { @@ -508,7 +501,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL ); } } -#endif return 0; } @@ -904,7 +896,6 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server) static int tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) { -#if OPENSSL_VERSION_NUMBER >= 0x00908000 tlso_session *s = (tlso_session *)sess; const EVP_MD *md; unsigned int md_len; @@ -944,9 +935,6 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) buf->bv_len = md_len; return md_len; -#else - return 0; -#endif } static const char * @@ -1470,7 +1458,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) RSA *tmp_rsa; /* FIXME: Pregenerate the key on startup */ /* FIXME: Who frees the key? */ -#if OPENSSL_VERSION_NUMBER >= 0x00908000 BIGNUM *bn = BN_new(); tmp_rsa = NULL; if ( bn ) { @@ -1483,9 +1470,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) } BN_free( bn ); } -#else - tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL ); -#endif if ( !tmp_rsa ) { Debug2( LDAP_DEBUG_ANY, diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index c8bcdbadd2..fc9e783f20 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -812,7 +812,7 @@ static ConfigTable config_back_cf_table[] = { "EQUALITY caseExactMatch " "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, { "TLSCRLCheck", NULL, 2, 2, 0, -#if defined(HAVE_TLS) && defined(HAVE_OPENSSL_CRL) +#if defined(HAVE_TLS) && defined(HAVE_OPENSSL) CFG_TLS_CRLCHECK|ARG_STRING|ARG_MAGIC, &config_tls_config, #else ARG_IGNORED, NULL, diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 2248a9a3e1..7fe76e85be 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -1492,7 +1492,7 @@ static slap_cf_aux_table bindkey[] = { { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL }, { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL }, { BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL }, -#ifdef HAVE_OPENSSL_CRL +#ifdef HAVE_OPENSSL { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL }, #endif #endif @@ -1873,7 +1873,7 @@ void bindconf_free( slap_bindconf *bc ) { ch_free( bc->sb_tls_ecname ); bc->sb_tls_ecname = NULL; } -#ifdef HAVE_OPENSSL_CRL +#ifdef HAVE_OPENSSL if ( bc->sb_tls_crlcheck ) { ch_free( bc->sb_tls_crlcheck ); bc->sb_tls_crlcheck = NULL; @@ -1913,7 +1913,7 @@ bindconf_tls_defaults( slap_bindconf *bc ) if ( !bc->sb_tls_ecname ) slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME, &bc->sb_tls_ecname ); -#ifdef HAVE_OPENSSL_CRL +#ifdef HAVE_OPENSSL if ( !bc->sb_tls_crlcheck ) slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK, &bc->sb_tls_crlcheck ); @@ -1986,7 +1986,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) res = -1; } } -#ifdef HAVE_OPENSSL_CRL +#ifdef HAVE_OPENSSL if ( bc->sb_tls_crlcheck ) { rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK, bc->sb_tls_crlcheck ); diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 3f5180b301..856fee7b2b 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1655,7 +1655,7 @@ typedef struct slap_bindconf { char *sb_tls_cipher_suite; char *sb_tls_protocol_min; char *sb_tls_ecname; -#ifdef HAVE_OPENSSL_CRL +#ifdef HAVE_OPENSSL char *sb_tls_crlcheck; #endif int sb_tls_do_init;