From: Arran Cudbard-Bell Date: Fri, 18 Jun 2021 00:20:05 +0000 (-0500) Subject: Remove support for OpenSSL < 1.1.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5f196d479073fc53bb1ca0ce525001a2b97d0e4;p=thirdparty%2Ffreeradius-server.git Remove support for OpenSSL < 1.1.0 We need 1.1.0 for async support --- diff --git a/configure.ac b/configure.ac index fff14334975..0d4e917128b 100644 --- a/configure.ac +++ b/configure.ac @@ -1199,10 +1199,10 @@ if test "x$WITH_OPENSSL" = xyes; then ] ) - AC_MSG_CHECKING([for OpenSSL version >= 1.0.2]) + AC_MSG_CHECKING([for OpenSSL version >= 1.1.0]) AC_EGREP_CPP(yes, [#include - #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) + #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) yes #endif ], diff --git a/src/lib/eap/crypto.c b/src/lib/eap/crypto.c index d9214f08117..ea4240fbdf6 100644 --- a/src/lib/eap/crypto.c +++ b/src/lib/eap/crypto.c @@ -36,7 +36,6 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include #include -#include #include #include "tls.h" @@ -94,7 +93,7 @@ int eap_crypto_tls_session_id(TALLOC_CTX *ctx, #endif request_t *request, SSL *ssl, uint8_t **out, uint8_t eap_type, -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10101000L UNUSED #endif char const *prf_label, @@ -107,7 +106,6 @@ int eap_crypto_tls_session_id(TALLOC_CTX *ctx, *out = NULL; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L if (!prf_label) goto random_based_session_id; switch (SSL_SESSION_get_protocol_version(SSL_get_session(ssl))) { @@ -119,7 +117,6 @@ int eap_crypto_tls_session_id(TALLOC_CTX *ctx, case TLS1_1_VERSION: /* No Method ID */ case TLS1_2_VERSION: /* No Method ID */ random_based_session_id: -#endif MEM(buff = p = talloc_array(ctx, uint8_t, sizeof(eap_type) + (2 * SSL3_RANDOM_SIZE))); *p++ = eap_type; @@ -145,9 +142,7 @@ int eap_crypto_tls_session_id(TALLOC_CTX *ctx, } break; #endif -#if OPENSSL_VERSION_NUMBER >= 0x10100000L } -#endif *out = buff; return 0; diff --git a/src/lib/eap/tls.c b/src/lib/eap/tls.c index 087ae883ed8..b9853ef7e96 100644 --- a/src/lib/eap/tls.c +++ b/src/lib/eap/tls.c @@ -275,16 +275,6 @@ int eap_tls_success(request_t *request, eap_session_t *eap_session, eap_session->finished = true; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - /* - * Check session resumption is allowed, disabling it - * if it's not. - */ - fr_tls_session_request_bind(tls_session->ssl, request); - fr_tls_cache_disable_cb(tls_session->ssl, -1); - fr_tls_session_request_unbind(tls_session->ssl); -#endif - /* * Build the success packet */ diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c index b790bf89dbe..89f8902299b 100644 --- a/src/lib/tls/base.c +++ b/src/lib/tls/base.c @@ -207,178 +207,10 @@ static fr_openssl_defect_t fr_openssl_defects[] = .id = "CVE-2016-6304", .name = "OCSP status request extension", .comment = "For more information see https://www.openssl.org/news/secadv/20160922.txt" - }, - { - .low = Vm(1,0,2,'i'), /* 1.0.2i */ - .high = Vm(1,0,2,'i'), /* 1.0.2i */ - .id = "CVE-2016-7052", - .name = "OCSP status request extension", - .comment = "For more information see https://www.openssl.org/news/secadv/20160926.txt" - }, - { - .low = VM(1,0,2), /* 1.0.2 */ - .high = Vm(1,0,2,'h'), /* 1.0.2h */ - .id = "CVE-2016-6304", - .name = "OCSP status request extension", - .comment = "For more information see https://www.openssl.org/news/secadv/20160922.txt" - }, + } }; #endif /* ENABLE_OPENSSL_VERSION_CHECK */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L -/* - * If we're linking against OpenSSL, then it is the - * duty of the application, if it is multithreaded, - * to provide OpenSSL with appropriate thread id - * and mutex locking functions - * - * Note: this only implements static callbacks. - * OpenSSL does not use dynamic locking callbacks - * right now, but may in the future, so we will have - * to add them at some point. - */ -static pthread_mutex_t *global_mutexes = NULL; - -static unsigned long _thread_id(void) -{ - unsigned long ret; - pthread_t thread = pthread_self(); - - if (sizeof(ret) >= sizeof(thread)) { - memcpy(&ret, &thread, sizeof(thread)); - } else { - memcpy(&ret, &thread, sizeof(ret)); - } - - return ret; -} - -/* - * Use preprocessor magic to get the right function and argument - * to use. This avoids ifdef's through the rest of the code. - */ -static void ssl_id_function(CRYPTO_THREADID *id) -{ - CRYPTO_THREADID_set_numeric(id, _thread_id()); -} -#define set_id_callback CRYPTO_THREADID_set_callback - - -static void _global_mutex(int mode, int n, UNUSED char const *file, UNUSED int line) -{ - if (mode & CRYPTO_LOCK) { - pthread_mutex_lock(&(global_mutexes[n])); - } else { - pthread_mutex_unlock(&(global_mutexes[n])); - } -} - -/** Free the static mutexes we allocated for OpenSSL - * - */ -static int _global_mutexes_free(pthread_mutex_t *mutexes) -{ - size_t i; - - /* - * Ensure OpenSSL doesn't use the locks - */ - CRYPTO_set_id_callback(NULL); - CRYPTO_set_locking_callback(NULL); - - /* - * Destroy all the mutexes - */ - for (i = 0; i < talloc_array_length(mutexes); i++) pthread_mutex_destroy(&(mutexes[i])); - - return 0; -} - -/** OpenSSL uses static mutexes which we need to initialise - * - * @note Yes, these really are global. - * - * @param ctx to alloc mutexes/array in. - * @return array of mutexes. - */ -static pthread_mutex_t *global_mutexes_init(TALLOC_CTX *ctx) -{ - int i = 0; - pthread_mutex_t *mutexes; - -#define SETUP_CRYPTO_LOCK if (i < CRYPTO_num_locks()) pthread_mutex_init(&(mutexes[i++]), NULL) - - mutexes = talloc_array(ctx, pthread_mutex_t, CRYPTO_num_locks()); - if (!mutexes) { - ERROR("Error allocating memory for OpenSSL mutexes!"); - return NULL; - } - - talloc_set_destructor(mutexes, _global_mutexes_free); - - /* - * Some profiling tools only give us the line the mutex - * was initialised on. In that case this allows us to - * see which of the mutexes in the profiling tool relates - * to which OpenSSL mutex. - * - * OpenSSL locks are usually indexed from 1, but just to - * be sure we initialise index 0 too. - */ - SETUP_CRYPTO_LOCK; /* UNUSED */ - SETUP_CRYPTO_LOCK; /* 1 - CRYPTO_LOCK_ERR */ - SETUP_CRYPTO_LOCK; /* 2 - CRYPTO_LOCK_EX_DATA */ - SETUP_CRYPTO_LOCK; /* 3 - CRYPTO_LOCK_X509 */ - SETUP_CRYPTO_LOCK; /* 4 - CRYPTO_LOCK_X509_INFO */ - SETUP_CRYPTO_LOCK; /* 5 - CRYPTO_LOCK_X509_PKEY */ - SETUP_CRYPTO_LOCK; /* 6 - CRYPTO_LOCK_X509_CRL */ - SETUP_CRYPTO_LOCK; /* 7 - CRYPTO_LOCK_X509_REQ */ - SETUP_CRYPTO_LOCK; /* 8 - CRYPTO_LOCK_DSA */ - SETUP_CRYPTO_LOCK; /* 9 - CRYPTO_LOCK_RSA */ - SETUP_CRYPTO_LOCK; /* 10 - CRYPTO_LOCK_EVP_PKEY */ - SETUP_CRYPTO_LOCK; /* 11 - CRYPTO_LOCK_X509_STORE */ - SETUP_CRYPTO_LOCK; /* 12 - CRYPTO_LOCK_SSL_CTX */ - SETUP_CRYPTO_LOCK; /* 13 - CRYPTO_LOCK_SSL_CERT */ - SETUP_CRYPTO_LOCK; /* 14 - CRYPTO_LOCK_SSL_SESSION */ - SETUP_CRYPTO_LOCK; /* 15 - CRYPTO_LOCK_SSL_SESS_CERT */ - SETUP_CRYPTO_LOCK; /* 16 - CRYPTO_LOCK_SSL */ - SETUP_CRYPTO_LOCK; /* 17 - CRYPTO_LOCK_SSL_METHOD */ - SETUP_CRYPTO_LOCK; /* 18 - CRYPTO_LOCK_RAND */ - SETUP_CRYPTO_LOCK; /* 19 - CRYPTO_LOCK_RAND2 */ - SETUP_CRYPTO_LOCK; /* 20 - CRYPTO_LOCK_MALLOC */ - SETUP_CRYPTO_LOCK; /* 21 - CRYPTO_LOCK_BIO */ - SETUP_CRYPTO_LOCK; /* 22 - CRYPTO_LOCK_GETHOSTBYNAME */ - SETUP_CRYPTO_LOCK; /* 23 - CRYPTO_LOCK_GETSERVBYNAME */ - SETUP_CRYPTO_LOCK; /* 24 - CRYPTO_LOCK_READDIR */ - SETUP_CRYPTO_LOCK; /* 25 - CRYPTO_LOCRYPTO_LOCK_RSA_BLINDING */ - SETUP_CRYPTO_LOCK; /* 26 - CRYPTO_LOCK_DH */ - SETUP_CRYPTO_LOCK; /* 27 - CRYPTO_LOCK_MALLOC2 */ - SETUP_CRYPTO_LOCK; /* 28 - CRYPTO_LOCK_DSO */ - SETUP_CRYPTO_LOCK; /* 29 - CRYPTO_LOCK_DYNLOCK */ - SETUP_CRYPTO_LOCK; /* 30 - CRYPTO_LOCK_ENGINE */ - SETUP_CRYPTO_LOCK; /* 31 - CRYPTO_LOCK_UI */ - SETUP_CRYPTO_LOCK; /* 32 - CRYPTO_LOCK_ECDSA */ - SETUP_CRYPTO_LOCK; /* 33 - CRYPTO_LOCK_EC */ - SETUP_CRYPTO_LOCK; /* 34 - CRYPTO_LOCK_ECDH */ - SETUP_CRYPTO_LOCK; /* 35 - CRYPTO_LOCK_BN */ - SETUP_CRYPTO_LOCK; /* 36 - CRYPTO_LOCK_EC_PRE_COMP */ - SETUP_CRYPTO_LOCK; /* 37 - CRYPTO_LOCK_STORE */ - SETUP_CRYPTO_LOCK; /* 38 - CRYPTO_LOCK_COMP */ - SETUP_CRYPTO_LOCK; /* 39 - CRYPTO_LOCK_FIPS */ - SETUP_CRYPTO_LOCK; /* 40 - CRYPTO_LOCK_FIPS2 */ - - /* - * Incase more are added *sigh* - */ - while (i < CRYPTO_num_locks()) SETUP_CRYPTO_LOCK; - - set_id_callback(ssl_id_function); - CRYPTO_set_locking_callback(_global_mutex); - - return mutexes; -} -#endif - #ifdef ENABLE_OPENSSL_VERSION_CHECK /** Check for vulnerable versions of libssl * @@ -441,11 +273,7 @@ int fr_openssl_version_check(char const *acknowledged) * @param len to alloc. * @return realloc. */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L static void *fr_openssl_talloc(size_t len, UNUSED char const *file, UNUSED int line) -#else -static void *fr_openssl_talloc(size_t len) -#endif { return talloc_array(ssl_talloc_ctx, uint8_t, len); } @@ -456,11 +284,7 @@ static void *fr_openssl_talloc(size_t len) * @param len to extend to. * @return realloced memory. */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L static void *fr_openssl_talloc_realloc(void *old, size_t len, UNUSED char const *file, UNUSED int line) -#else -static void *fr_openssl_talloc_realloc(void *old, size_t len) -#endif { return talloc_realloc_size(ssl_talloc_ctx, old, len); } @@ -469,7 +293,6 @@ static void *fr_openssl_talloc_realloc(void *old, size_t len) * * @param to_free memory to free. */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L #ifdef NDEBUG /* * If we're not debugging, use only the filename. Otherwise the @@ -488,42 +311,7 @@ static void fr_openssl_talloc_free(void *to_free, char const *file, int line) (void)_talloc_free(to_free, buffer); } #endif -#else -static void fr_openssl_talloc_free(void *to_free) -{ - (void)talloc_free(to_free); -} -#endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L -void fr_openssl_free(void) -{ - if (--instance_count > 0) return; - - /* - * If we linked with OpenSSL, the application - * must remove the thread's error queue before - * exiting to prevent memory leaks. - */ - ERR_remove_thread_state(NULL); - - fr_tls_engine_free_all(); - - CONF_modules_unload(1); - - ERR_free_strings(); - - EVP_cleanup(); - - CRYPTO_cleanup_all_ex_data(); - - TALLOC_FREE(global_mutexes); - - fr_dict_autofree(tls_dict); - - fr_tls_log_free(); -} -#else /** Free any memory alloced by libssl * * OpenSSL >= 1.1.0 uses an atexit handler to automatically free @@ -543,7 +331,6 @@ void fr_openssl_free(void) fr_tls_log_free(); } -#endif /** Add all the default ciphers and message digests to our context. * @@ -566,33 +353,14 @@ int fr_openssl_init(void) return -1; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L - SSL_load_error_strings(); /* Readable error messages (examples show call before library_init) */ - SSL_library_init(); /* Initialize library */ - OpenSSL_add_all_algorithms(); /* Required for SHA2 in OpenSSL < 0.9.8o and 1.0.0.a */ -# ifdef HAVE_OPENSSL_EVP_SHA256 /* * SHA256 is in all versions of OpenSSL, but isn't * initialized by default. It's needed for WiMAX * certificates. */ EVP_add_digest(EVP_sha256()); -# endif - /* - * If we're linking with OpenSSL too, then we need - * to set up the mutexes and enable the thread callbacks. - */ - global_mutexes = global_mutexes_init(NULL); - if (!global_mutexes) { - ERROR("Failed to set up SSL mutexes"); - fr_openssl_free(); - return -1; - } - OPENSSL_config(NULL); -#else OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); -#endif /* * FIXME - This should be done _after_ diff --git a/src/lib/tls/cache.c b/src/lib/tls/cache.c index 3a50ec0516a..59723b51435 100644 --- a/src/lib/tls/cache.c +++ b/src/lib/tls/cache.c @@ -39,7 +39,6 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include "base.h" #include "cache.h" #include "log.h" -#include "missing.h" #include "validate.h" /** Retrieve session ID (in binary form) from the session @@ -501,11 +500,7 @@ static int tls_cache_store_cb(SSL *ssl, SSL_SESSION *sess) * - NULL on error. */ static SSL_SESSION *tls_cache_load_cb(SSL *ssl, -#if OPENSSL_VERSION_NUMBER >= 0x10100000L unsigned char const *key, -#else - unsigned char *key, -#endif int key_len, int *copy) { fr_tls_session_t *tls_session; @@ -619,11 +614,7 @@ static void tls_cache_delete_cb(UNUSED SSL_CTX *ctx, SSL_SESSION *sess) * - 0 if session-resumption is allowed. * - 1 if enabling session-resumption was disabled for this session. */ -int fr_tls_cache_disable_cb(SSL *ssl, -#if OPENSSL_VERSION_NUMBER < 0x10100000L - UNUSED -#endif - int is_forward_secure) +int fr_tls_cache_disable_cb(SSL *ssl, int is_forward_secure) { request_t *request; @@ -633,7 +624,6 @@ int fr_tls_cache_disable_cb(SSL *ssl, tls_session = talloc_get_type_abort(SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_TLS_SESSION), fr_tls_session_t); request = fr_tls_session_request(tls_session->ssl); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L { fr_tls_conf_t *conf; @@ -649,7 +639,6 @@ int fr_tls_cache_disable_cb(SSL *ssl, goto disable; } } -#endif /* * If there's no session resumption, delete the entry @@ -1065,9 +1054,7 @@ int fr_tls_cache_ctx_init(SSL_CTX *ctx, fr_tls_cache_conf_t const *cache_conf) break; } -#if OPENSSL_VERSION_NUMBER >= 0x10100000L SSL_CTX_set_not_resumable_session_callback(ctx, fr_tls_cache_disable_cb); -#endif SSL_CTX_set_quiet_shutdown(ctx, 1); return 0; diff --git a/src/lib/tls/conf.c b/src/lib/tls/conf.c index be02805ba12..f3a4d2cc511 100644 --- a/src/lib/tls/conf.c +++ b/src/lib/tls/conf.c @@ -42,7 +42,6 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include "base.h" #include "log.h" -#include "missing.h" /** Certificate formats * diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c index cf93bf1be95..8c9a815c3cd 100644 --- a/src/lib/tls/ctx.c +++ b/src/lib/tls/ctx.c @@ -40,7 +40,6 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include #include "base.h" -#include "missing.h" #include "log.h" #ifndef OPENSSL_NO_ECDH @@ -436,24 +435,12 @@ SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client) * at the cost of the server occasionally * crashing on exit. */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L - FR_OPENSSL_BIND_OBJ_MEMORY(ctx = SSL_CTX_new(SSLv23_method())); /* which is really "all known SSL / TLS methods". Idiots. */ -#else ctx = SSL_CTX_new(SSLv23_method()); -#endif if (!ctx) { fr_tls_log_error(NULL, "Failed creating TLS context"); return NULL; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L - /* - * Bind any other memory to the ctx to fix - * leaks on exit. - */ - FR_OPENSSL_BIND_MEMORY_BEGIN(ctx); -#endif - /* * Save the config on the context so that callbacks which * only get SSL_CTX* e.g. session persistence, can get at it. @@ -472,9 +459,6 @@ SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client) if (!*conf->psk_query) { ERROR("Invalid PSK Configuration: psk_query cannot be empty"); error: -#if OPENSSL_VERSION_NUMBER < 0x10100000L - FR_OPENSSL_BIND_MEMORY_END; -#endif SSL_CTX_free(ctx); return NULL; } @@ -861,13 +845,6 @@ post_ca: */ if (conf->dh_file && (ctx_dh_params_load(ctx, UNCONST(char *, conf->dh_file)) < 0)) goto error; - /* - * We're done configuring the ctx. - */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L - FR_OPENSSL_BIND_MEMORY_END; -#endif - /* * Setup session caching */ diff --git a/src/lib/tls/log.c b/src/lib/tls/log.c index 1310c251107..a04a00d93be 100644 --- a/src/lib/tls/log.c +++ b/src/lib/tls/log.c @@ -33,7 +33,6 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include #include "log.h" -#include "missing.h" /** Holds the state of a log BIO * diff --git a/src/lib/tls/missing.h b/src/lib/tls/missing.h deleted file mode 100644 index 4865020000b..00000000000 --- a/src/lib/tls/missing.h +++ /dev/null @@ -1,84 +0,0 @@ -#pragma once -/* - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA - */ -#include -#include - -#if OPENSSL_VERSION_NUMBER < 0x10100000L -# define EVP_MD_CTX_new EVP_MD_CTX_create -# define EVP_MD_CTX_free EVP_MD_CTX_destroy -# define EVP_MD_CTX_reset EVP_MD_CTX_cleanup - -static inline HMAC_CTX *HMAC_CTX_new(void) -{ - HMAC_CTX *ctx; - - ctx = OPENSSL_malloc(sizeof(*ctx)); /* Between HMAC_ctx_init and HMAC_init everything is zeroed */ - if (!ctx) return NULL; - - HMAC_CTX_init(ctx); - return ctx; -} - -static inline void HMAC_CTX_free(HMAC_CTX *ctx) -{ - if (ctx == NULL) return; - HMAC_CTX_cleanup(ctx); - OPENSSL_free(ctx); -} - -static inline int HMAC_CTX_reset(HMAC_CTX *ctx) -{ - if (!ctx) return 0; - - HMAC_CTX_cleanup(ctx); - - return 1; -} - -/* - * OpenSSL compatibility, to avoid ifdef's through the rest of the code. - */ -static inline size_t SSL_get_client_random(const SSL *s, unsigned char *out, size_t outlen) -{ - if (!outlen) return sizeof(s->s3->client_random); - - if (outlen > sizeof(s->s3->client_random)) outlen = sizeof(s->s3->client_random); - - memcpy(out, s->s3->client_random, outlen); - return outlen; -} - -static inline size_t SSL_get_server_random(const SSL *s, unsigned char *out, size_t outlen) -{ - if (!outlen) return sizeof(s->s3->server_random); - - if (outlen > sizeof(s->s3->server_random)) outlen = sizeof(s->s3->server_random); - - memcpy(out, s->s3->server_random, outlen); - return outlen; -} - -static inline size_t SSL_SESSION_get_master_key(const SSL_SESSION *s, unsigned char *out, size_t outlen) -{ - if (!outlen) return s->master_key_length; - - if (outlen > (size_t)s->master_key_length) outlen = (size_t)s->master_key_length; - - memcpy(out, s->master_key, outlen); - return outlen; -} -#endif diff --git a/src/lib/tls/pairs.c b/src/lib/tls/pairs.c index 659324db2e5..8629be45a86 100644 --- a/src/lib/tls/pairs.c +++ b/src/lib/tls/pairs.c @@ -105,12 +105,7 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c char **identity; int attr_index, loc; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L STACK_OF(X509_EXTENSION) const *ext_list = NULL; -#else - STACK_OF(X509_EXTENSION) *ext_list = NULL; -#endif - ASN1_INTEGER *sn = NULL; ASN1_TIME *asn_time = NULL; @@ -212,23 +207,15 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c switch (name->type) { #ifdef GEN_EMAIL case GEN_EMAIL: { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L char const *rfc822Name = (char const *)ASN1_STRING_get0_data(name->d.rfc822Name); -#else - char *rfc822Name = (char *)ASN1_STRING_data(name->d.rfc822Name); -#endif - CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_EMAIL, attr_index, rfc822Name); break; } #endif /* GEN_EMAIL */ #ifdef GEN_DNS - case GEN_DNS: { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L + case GEN_DNS: + { char const *dNSName = (char const *)ASN1_STRING_get0_data(name->d.dNSName); -#else - char *dNSName = (char *)ASN1_STRING_data(name->d.dNSName); -#endif CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_DNS, attr_index, dNSName); break; } @@ -261,11 +248,7 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c * Only add extensions for the actual client certificate */ if (attr_index == 0) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L ext_list = X509_get0_extensions(cert); -#else - ext_list = cert->cert_info->extensions; -#endif /* * Grab the X509 extensions, and create attributes out of them. diff --git a/src/lib/tls/session.c b/src/lib/tls/session.c index 94256762b96..0aab080cecc 100644 --- a/src/lib/tls/session.c +++ b/src/lib/tls/session.c @@ -46,7 +46,6 @@ #include "attrs.h" #include "base.h" #include "log.h" -#include "missing.h" static char const *tls_version_str[] = { [SSL2_VERSION] = "SSL 2.0", @@ -464,7 +463,7 @@ void fr_tls_session_info_cb(SSL const *ssl, int where, int ret) RDEBUG3("Handshake state [%.*s] - %s%s", (int)len, abbrv, role, state); -#if defined(OPENSSL_NO_SSL_TRACE) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) +#ifdef OPENSSL_NO_SSL_TRACE { STACK_OF(SSL_CIPHER) *server_ciphers; STACK_OF(SSL_CIPHER) *client_ciphers; diff --git a/src/lib/tls/utils.c b/src/lib/tls/utils.c index bb789445126..1b9c1ac4055 100644 --- a/src/lib/tls/utils.c +++ b/src/lib/tls/utils.c @@ -27,7 +27,6 @@ #include #include "base.h" -#include "missing.h" /** PKEY types (friendly names) * @@ -84,28 +83,6 @@ int fr_tls_utils_keyblock_size_get(request_t *request, SSL *ssl) { const EVP_CIPHER *c; const EVP_MD *h; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - int md_size; - - if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL || ssl->read_hash == NULL) - return -1; - - c = ssl->enc_read_ctx->cipher; - h = EVP_MD_CTX_md(ssl->read_hash); - if (h) - md_size = EVP_MD_size(h); - else if (ssl->s3) - md_size = ssl->s3->tmp.new_mac_secret_size; - else - return -1; - - RDEBUG2("OpenSSL: keyblock size: key_len=%d MD_size=%d " - "IV_len=%d", EVP_CIPHER_key_length(c), md_size, - EVP_CIPHER_iv_length(c)); - return 2 * (EVP_CIPHER_key_length(c) + - md_size + - EVP_CIPHER_iv_length(c)); -#else const SSL_CIPHER *ssl_cipher; int cipher, digest; @@ -127,7 +104,6 @@ int fr_tls_utils_keyblock_size_get(request_t *request, SSL *ssl) EVP_CIPHER_iv_length(c)); return 2 * (EVP_CIPHER_key_length(c) + EVP_MD_size(h) + EVP_CIPHER_iv_length(c)); -#endif } /** Convert OpenSSL's ASN1_TIME to an epoch time diff --git a/src/lib/tls/validate.c b/src/lib/tls/validate.c index 27dc1d630aa..65f56c7a1bb 100644 --- a/src/lib/tls/validate.c +++ b/src/lib/tls/validate.c @@ -38,7 +38,6 @@ #include "attrs.h" #include "base.h" -#include "missing.h" DIAG_OFF(DIAG_UNKNOWN_PRAGMAS) DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */ @@ -56,10 +55,6 @@ DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */ * 3. Verify that the certificate has not been revoked by its issuing Certificate * Authority, by checking with respect to a Certificate Revocation List (CRL). * - * 4. Verify that the credentials presented by the certificate fulfill additional - * requirements specific to the application, such as with respect to access control - * lists or with respect to OCSP (Online Certificate Status Processing). - * * @note This callback will be called multiple times based on the depth of the root * certificate chain. * @@ -110,12 +105,7 @@ int fr_tls_validate_cert_cb(int ok, X509_STORE_CTX *x509_ctx) STACK_OF(X509) *our_chain = X509_STORE_CTX_get_chain(x509_ctx); int i; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L RDEBUG3("Certificate chain - %i cert(s) untrusted", X509_STORE_CTX_get_num_untrusted(x509_ctx)); -#else - RDEBUG3("Certificate chain"); -#endif - for (i = sk_X509_num(our_chain); i > 0 ; i--) { X509 *this_cert = sk_X509_value(our_chain, i - 1); diff --git a/src/lib/unlang/xlat_builtin.c b/src/lib/unlang/xlat_builtin.c index ad4a36b6625..bcda6a07b36 100644 --- a/src/lib/unlang/xlat_builtin.c +++ b/src/lib/unlang/xlat_builtin.c @@ -2553,10 +2553,8 @@ EVP_MD_XLAT(sha2_256, sha256) EVP_MD_XLAT(sha2_384, sha384) EVP_MD_XLAT(sha2_512, sha512) -# if OPENSSL_VERSION_NUMBER >= 0x10100000L EVP_MD_XLAT(blake2s_256, blake2s256) EVP_MD_XLAT(blake2b_512, blake2b512) -# endif # if OPENSSL_VERSION_NUMBER >= 0x10101000L EVP_MD_XLAT(sha3_224, sha3_224) @@ -3138,10 +3136,8 @@ do { \ XLAT_REGISTER_MONO("sha2_384", xlat_func_sha2_384, xlat_func_sha_arg); XLAT_REGISTER_MONO("sha2_512", xlat_func_sha2_512, xlat_func_sha_arg); -# if OPENSSL_VERSION_NUMBER >= 0x10100000L XLAT_REGISTER_MONO("blake2s_256", xlat_func_blake2s_256, xlat_func_sha_arg); XLAT_REGISTER_MONO("blake2b_512", xlat_func_blake2b_512, xlat_func_sha_arg); -# endif # if OPENSSL_VERSION_NUMBER >= 0x10101000L XLAT_REGISTER_MONO("sha3_224", xlat_func_sha3_224, xlat_func_sha_arg); diff --git a/src/lib/util/hmac_md5.c b/src/lib/util/hmac_md5.c index 1d5d6e5d57c..fcfc32c7756 100644 --- a/src/lib/util/hmac_md5.c +++ b/src/lib/util/hmac_md5.c @@ -35,7 +35,6 @@ RCSID("$Id$") #ifdef HAVE_OPENSSL_EVP_H # include -# include static _Thread_local HMAC_CTX *md5_hmac_ctx; diff --git a/src/lib/util/hmac_sha1.c b/src/lib/util/hmac_sha1.c index d5b33ba6ffc..a87ec020bcf 100644 --- a/src/lib/util/hmac_sha1.c +++ b/src/lib/util/hmac_sha1.c @@ -40,7 +40,6 @@ unsigned int sha1_data_problems = 0; #ifdef HAVE_OPENSSL_EVP_H # include -# include static _Thread_local HMAC_CTX *sha1_hmac_ctx; diff --git a/src/lib/util/md4.c b/src/lib/util/md4.c index 2ede6528af4..7ae2c81f8d8 100644 --- a/src/lib/util/md4.c +++ b/src/lib/util/md4.c @@ -29,12 +29,6 @@ static _Thread_local fr_md4_ctx_t *md4_ctx; # include # include -#if OPENSSL_VERSION_NUMBER < 0x10100000L -# define EVP_MD_CTX_new EVP_MD_CTX_create -# define EVP_MD_CTX_free EVP_MD_CTX_destroy -# define EVP_MD_CTX_reset EVP_MD_CTX_cleanup -#endif - static int have_openssl_md4 = -1; static void _md4_ctx_openssl_free_on_exit(void *arg) diff --git a/src/lib/util/md5.c b/src/lib/util/md5.c index 972f5f303a4..e73ea84b602 100644 --- a/src/lib/util/md5.c +++ b/src/lib/util/md5.c @@ -40,12 +40,6 @@ static _Thread_local fr_md5_free_list_t * md5_array; # include # include -#if OPENSSL_VERSION_NUMBER < 0x10100000L -# define EVP_MD_CTX_new EVP_MD_CTX_create -# define EVP_MD_CTX_free EVP_MD_CTX_destroy -# define EVP_MD_CTX_reset EVP_MD_CTX_cleanup -#endif - static int have_openssl_md5 = -1; static void _md5_ctx_openssl_free_on_exit(void *arg) diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.h b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.h index 8cbbb5e0845..8dfc67a4f05 100644 --- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.h +++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.h @@ -27,8 +27,6 @@ */ RCSIDH(eap_fast_crypto_h, "$Id$") -#include - void T_PRF(unsigned char const *secret, unsigned int secret_len, char const *prf_label, unsigned char const *seed, unsigned int seed_len, unsigned char *out, unsigned int out_len) CC_HINT(nonnull(1,3,6)); int eap_fast_encrypt(uint8_t const *plaintext, size_t plaintext_len, diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c index 8d4a3060125..1deac3f50b0 100644 --- a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c +++ b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c @@ -219,16 +219,9 @@ static void eap_fast_session_ticket(fr_tls_session_t *tls_session, const SSL *s, *secret_len = SSL_MAX_MASTER_KEY_LENGTH; } -// hostap:src/crypto/tls_openssl.c:tls_sess_sec_cb() -#if OPENSSL_VERSION_NUMBER < 0x10100000L -static int _session_secret(SSL *s, void *secret, int *secret_len, - UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers, - UNUSED SSL_CIPHER **cipher, void *arg) -#else static int _session_secret(SSL *s, void *secret, int *secret_len, UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers, UNUSED SSL_CIPHER const **cipher, void *arg) -#endif { // FIXME enforce non-anon cipher diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c index 4ff7bd7d99e..cdf3e561268 100644 --- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c @@ -36,7 +36,6 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include #include -#include #include #include "eap_pwd.h" diff --git a/src/modules/rlm_ocsp/ocsp.c b/src/modules/rlm_ocsp/ocsp.c index bc43f82e57e..3ea59bbfd09 100644 --- a/src/modules/rlm_ocsp/ocsp.c +++ b/src/modules/rlm_ocsp/ocsp.c @@ -43,7 +43,6 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include "attrs.h" #include "base.h" #include "log.h" -#include "missing.h" /** Rcodes returned by the OCSP check function */ @@ -212,9 +211,8 @@ int fr_tls_ocsp_staple_cb(SSL *ssl, void *data) goto error; } -#if OPENSSL_VERSION_NUMBER >= 0x10102000L if (SSL_get0_chain_certs(ssl, &our_chain) == 0) { -#else + /* * Ignore the return code for older versions of * OpenSSL. diff --git a/src/modules/rlm_wimax/rlm_wimax.c b/src/modules/rlm_wimax/rlm_wimax.c index 9353703568c..beb605c5057 100644 --- a/src/modules/rlm_wimax/rlm_wimax.c +++ b/src/modules/rlm_wimax/rlm_wimax.c @@ -29,7 +29,6 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ #include #include #include -#include #include /*