From b080665e7ea1955764e9e80392b1f6e52a740c3b Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Mon, 24 Oct 2022 14:05:16 +0300 Subject: [PATCH] m4: Update ssl.m4 --- m4/ssl.m4 | 178 +++++++----------- src/lib-dcrypt/dcrypt-openssl.c | 26 +-- src/lib-ssl-iostream/dovecot-openssl-common.c | 8 +- .../iostream-openssl-context.c | 8 +- src/lib-ssl-iostream/iostream-openssl.c | 6 +- 5 files changed, 91 insertions(+), 135 deletions(-) diff --git a/m4/ssl.m4 b/m4/ssl.m4 index 6c2a0eaa95..e3a1656623 100644 --- a/m4/ssl.m4 +++ b/m4/ssl.m4 @@ -1,3 +1,25 @@ +dnl DOVECOT_CHECK_SSL_FUNC(function) +AC_DEFUN([DOVECOT_CHECK_SSL_FUNC], [ + AC_CHECK_DECL([$1], AC_DEFINE(HAVE_$1,, [Define if you have $1]),, +[[#include +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#include +#include +#include +#endif +#include +#include +]]) +]) + AC_DEFUN([DOVECOT_SSL], [ build_dcrypt_openssl=no have_openssl=no @@ -34,28 +56,10 @@ AC_DEFUN([DOVECOT_SSL], [ AC_MSG_ERROR([OpenSSL v1.0.2 or better required to build Dovecot]) ]) - dnl * SSL_clear_options introduced in openssl 0.9.8m but may be backported to - dnl * older versions in "enterprise" OS releases; originally implemented as a - dnl * macro but as a function in more recent openssl versions - AC_CACHE_CHECK([whether SSL_clear_options exists],i_cv_have_ssl_clear_options,[ - old_LIBS=$LIBS - LIBS="$LIBS -lssl" - AC_LINK_IFELSE([AC_LANG_PROGRAM([[ - #include - ]], [[ - SSL *ssl; - long options; - SSL_clear_options(ssl, options); - ]])], [ - i_cv_have_ssl_clear_options=yes - ],[ - i_cv_have_ssl_clear_options=no - ]) - LIBS=$old_LIBS - ]) - AS_IF([test $i_cv_have_ssl_clear_options = yes], [ - AC_DEFINE(HAVE_SSL_CLEAR_OPTIONS,, [Define if you have SSL_clear_options]) - ]) + SSL_CFLAGS="$SSL_CFLAGS -DOPENSSL_NO_DEPRECATED -DOPENSSL_API_COMPAT=0x1000200L" + + old_CFLAGS="$CFLAGS" + CFLAGS="$old_CFLAGS $SSL_CFLAGS" dnl * New style mem functions? Should be in v1.1+ AC_CACHE_CHECK([whether CRYPTO_set_mem_functions has new style parameters],i_cv_have_ssl_new_mem_funcs,[ @@ -79,95 +83,45 @@ AC_DEFUN([DOVECOT_SSL], [ AC_DEFINE(HAVE_SSL_NEW_MEM_FUNCS,, [Define if CRYPTO_set_mem_functions has new style parameters]) ]) - dnl * SSL_CTX_set_min_proto_version is also a macro so AC_CHECK_LIB fails here. - AC_CACHE_CHECK([whether SSL_CTX_set_min_proto_version exists],i_cv_have_ssl_ctx_set_min_proto_version,[ - old_LIBS=$LIBS - LIBS="$LIBS -lssl" - AC_LINK_IFELSE([AC_LANG_PROGRAM([[ - #include - ]], [[ - SSL_CTX_set_min_proto_version((void*)0, 0); - ]])],[ - i_cv_have_ssl_ctx_set_min_proto_version=yes - ],[ - i_cv_have_ssl_ctx_set_min_proto_version=no - ]) - LIBS=$old_LIBS - ]) - AS_IF([test $i_cv_have_ssl_ctx_set_min_proto_version = yes], [ - AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION,, [Define if you have SSL_CTX_set_min_proto_version]) - ]) - - dnl * SSL_CTX_set_current_cert is also a macro so AC_CHECK_LIB fails here. - AC_CACHE_CHECK([whether SSL_CTX_set_current_cert exists],i_cv_have_ssl_ctx_set_current_cert,[ - old_LIBS=$LIBS - LIBS="$LIBS -lssl" - AC_LINK_IFELSE([AC_LANG_PROGRAM([[ - #include - ]], [[ - SSL_CTX_set_current_cert((void*)0, 0); - ]])],[ - i_cv_have_ssl_ctx_set_current_cert=yes - ],[ - i_cv_have_ssl_ctx_set_current_cert=no - ]) - LIBS=$old_LIBS - ]) - AS_IF([test $i_cv_have_ssl_ctx_set_current_cert = yes], [ - AC_DEFINE(HAVE_SSL_CTX_SET_CURRENT_CERT,, [Define if you have SSL_CTX_set_current_cert]) - ]) - - - AC_CHECK_LIB(ssl, SSL_CIPHER_get_kx_nid, [ - AC_DEFINE(HAVE_SSL_CIPHER_get_kx_nid,, [Define if you have SSL_CIPHER_get_kx_nid]) - ],, $SSL_LIBS) + DOVECOT_CHECK_SSL_FUNC([ASN1_STRING_get0_data]) + DOVECOT_CHECK_SSL_FUNC([BN_secure_new]) + DOVECOT_CHECK_SSL_FUNC([ECDSA_SIG_get0]) + DOVECOT_CHECK_SSL_FUNC([ECDSA_SIG_set0]) + DOVECOT_CHECK_SSL_FUNC([EC_GROUP_order_bits]) + DOVECOT_CHECK_SSL_FUNC([ERR_get_error_all]) + DOVECOT_CHECK_SSL_FUNC([ERR_get_error_line_data]) + DOVECOT_CHECK_SSL_FUNC([ERR_remove_state]) + DOVECOT_CHECK_SSL_FUNC([ERR_remove_thread_state]) + DOVECOT_CHECK_SSL_FUNC([EVP_EC_gen]) + DOVECOT_CHECK_SSL_FUNC([EVP_MAC_CTX_new]) + DOVECOT_CHECK_SSL_FUNC([EVP_MD_CTX_new]) + DOVECOT_CHECK_SSL_FUNC([EVP_PKEY_get0_RSA]) + DOVECOT_CHECK_SSL_FUNC([EVP_PKEY_get0_EC_KEY]) + DOVECOT_CHECK_SSL_FUNC([EVP_PKEY_get0_DH]) + DOVECOT_CHECK_SSL_FUNC([EVP_PKEY_set1_encoded_public_key]) + DOVECOT_CHECK_SSL_FUNC([EVP_PKEY_EC]) + DOVECOT_CHECK_SSL_FUNC([HMAC_CTX_init]) + DOVECOT_CHECK_SSL_FUNC([HMAC_CTX_new]) + DOVECOT_CHECK_SSL_FUNC([OBJ_cleanup]) + DOVECOT_CHECK_SSL_FUNC([OBJ_length]) + DOVECOT_CHECK_SSL_FUNC([OPENSSL_cleanup]) + DOVECOT_CHECK_SSL_FUNC([OPENSSL_init_ssl]) + DOVECOT_CHECK_SSL_FUNC([OPENSSL_thread_stop]) + DOVECOT_CHECK_SSL_FUNC([OSSL_PROVIDER_try_load]) + DOVECOT_CHECK_SSL_FUNC([PEM_read_bio_Parameters]) + DOVECOT_CHECK_SSL_FUNC([RSA_set0_crt_params]) + DOVECOT_CHECK_SSL_FUNC([RSA_set0_factors]) + DOVECOT_CHECK_SSL_FUNC([RSA_set0_key]) + DOVECOT_CHECK_SSL_FUNC([SSL_CIPHER_get_kx_nid]) + DOVECOT_CHECK_SSL_FUNC([SSL_clear_options]) + DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set0_tmp_dh_pkey]) + DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_ciphersuites]) + DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_current_cert]) + DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_min_proto_version]) + DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_tmp_dh_callback]) + DOVECOT_CHECK_SSL_FUNC([SSL_CTX_set_tmp_rsa_callback]) + DOVECOT_CHECK_SSL_FUNC([SSL_get1_peer_certificate]) + DOVECOT_CHECK_SSL_FUNC([SSL_load_error_strings]) - AC_CHECK_LIB(ssl, ERR_remove_thread_state, [ - AC_DEFINE(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE,, [Define if you have ERR_remove_thread_state]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, OPENSSL_thread_stop, [ - AC_DEFINE(HAVE_OPENSSL_AUTO_THREAD_DEINIT,, [Define if OpenSSL performs thread cleanup automatically]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, OPENSSL_cleanup, [ - AC_DEFINE(HAVE_OPENSSL_CLEANUP,, [OpenSSL supports OPENSSL_cleanup()]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, ASN1_STRING_get0_data, [ - AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA,, [Build with ASN1_STRING_get0_data() support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, HMAC_CTX_new, [ - AC_DEFINE(HAVE_HMAC_CTX_NEW,, [Build with HMAC_CTX_new() support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, EVP_MD_CTX_new, [ - AC_DEFINE(HAVE_EVP_MD_CTX_NEW,, [Build with EVP_MD_CTX_new() support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, OBJ_length, [ - AC_DEFINE(HAVE_OBJ_LENGTH,, [Build with OBJ_length() support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, EVP_PKEY_get0_RSA, [ - AC_DEFINE(HAVE_EVP_PKEY_get0,, [Build with EVP_PKEY_get0_*() support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [ - AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES,, [Build with SSL_CTX_set_ciphersuites() support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, BN_secure_new, [ - AC_DEFINE(HAVE_BN_SECURE_NEW,, [Build with BN_secure_new support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, RSA_set0_key, [ - AC_DEFINE(HAVE_RSA_SET0_KEY,, [Build with RSA_set0_key support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, RSA_set0_factors, [ - AC_DEFINE(HAVE_RSA_SET0_FACTORS,, [Build with RSA_set0_factors support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, RSA_set0_crt_params, [ - AC_DEFINE(HAVE_RSA_SET0_CRT_PARAMS,, [Build with RSA_set0_crt_params support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, ECDSA_SIG_get0, [ - AC_DEFINE(HAVE_ECDSA_SIG_GET0,, [Build with ECDSA_SIG_get0 support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, ECDSA_SIG_set0, [ - AC_DEFINE(HAVE_ECDSA_SIG_SET0,, [Build with ECDSA_SIG_set0 support]) - ],, $SSL_LIBS) - AC_CHECK_LIB(ssl, EC_GROUP_order_bits, [ - AC_DEFINE(HAVE_EC_GROUP_order_bits,, [Build with EC_GROUP_order_bits support]) - ],, $SSL_LIBS) + CFLAGS="$old_CFLAGS" ]) diff --git a/src/lib-dcrypt/dcrypt-openssl.c b/src/lib-dcrypt/dcrypt-openssl.c index ea8b31ecba..510a0ab724 100644 --- a/src/lib-dcrypt/dcrypt-openssl.c +++ b/src/lib-dcrypt/dcrypt-openssl.c @@ -73,21 +73,23 @@ 2key algo oid1symmetric algo namesalthash algoroundsE(RSA = i2d_PrivateKey, EC=Private Point)key id **/ -#ifndef HAVE_EVP_PKEY_get0 +#ifndef HAVE_EVP_PKEY_get0_EC_KEY #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec +#endif +#ifndef HAVE_EVP_PKEY_get0_RSA #define EVP_PKEY_get0_RSA(x) x->pkey.rsa #endif -#ifndef HAVE_OBJ_LENGTH +#ifndef HAVE_OBJ_length #define OBJ_length(o) ((o)->length) #endif -#ifndef HAVE_EVP_MD_CTX_NEW +#ifndef HAVE_EVP_MD_CTX_new # define EVP_MD_CTX_new() EVP_MD_CTX_create() # define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy(ctx) #endif -#ifndef HAVE_HMAC_CTX_NEW +#ifndef HAVE_HMAC_CTX_new # define HMAC_Init_ex(ctx, key, key_len, md, impl) \ HMAC_Init_ex(&(ctx), key, key_len, md, impl) # define HMAC_Update(ctx, data, len) HMAC_Update(&(ctx), data, len) @@ -99,7 +101,7 @@ #endif /* Not always present */ -#ifndef HAVE_BN_SECURE_NEW +#ifndef HAVE_BN_secure_new # define BN_secure_new BN_new #endif @@ -125,7 +127,7 @@ struct dcrypt_context_symmetric { struct dcrypt_context_hmac { pool_t pool; const EVP_MD *md; -#ifdef HAVE_HMAC_CTX_NEW +#ifdef HAVE_HMAC_CTX_new HMAC_CTX *ctx; #else HMAC_CTX ctx; @@ -627,7 +629,7 @@ dcrypt_openssl_ctx_hmac_init(struct dcrypt_context_hmac *ctx, int ec; i_assert(ctx->md != NULL); -#ifdef HAVE_HMAC_CTX_NEW +#ifdef HAVE_HMAC_CTX_new ctx->ctx = HMAC_CTX_new(); if (ctx->ctx == NULL) return dcrypt_openssl_error(error_r); @@ -1593,7 +1595,7 @@ static bool load_jwk_ec_key(EVP_PKEY **key_r, bool want_private_key, } /* RSA helpers */ -#if !defined(HAVE_RSA_SET0_KEY) +#if !defined(HAVE_RSA_set0_key) static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { if (n == NULL || e == NULL) { @@ -1609,7 +1611,7 @@ static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) return 1; } #endif -#if !defined(HAVE_RSA_SET0_FACTORS) +#if !defined(HAVE_RSA_set0_factors) static int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) { if (p == NULL || q == NULL) { @@ -1623,7 +1625,7 @@ static int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) return 1; } #endif -#if !defined(HAVE_RSA_SET0_CRT_PARAMS) +#if !defined(HAVE_RSA_set0_crt_params) static int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) { if (dmp1 == NULL || dmq1 == NULL || iqmp == NULL) { @@ -3123,7 +3125,7 @@ dcrypt_openssl_digest(const char *algorithm, const void *data, size_t data_len, return ret; } -#ifndef HAVE_ECDSA_SIG_GET0 +#ifndef HAVE_ECDSA_SIG_get0 static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) { i_assert(sig != NULL); @@ -3131,7 +3133,7 @@ static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM *ps = sig->s; } #endif -#ifndef HAVE_ECDSA_SIG_SET0 +#ifndef HAVE_ECDSA_SIG_set0 static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { if (sig == NULL || r == NULL || s == NULL) { diff --git a/src/lib-ssl-iostream/dovecot-openssl-common.c b/src/lib-ssl-iostream/dovecot-openssl-common.c index e784a96935..72ef119e80 100644 --- a/src/lib-ssl-iostream/dovecot-openssl-common.c +++ b/src/lib-ssl-iostream/dovecot-openssl-common.c @@ -88,17 +88,17 @@ bool dovecot_openssl_common_global_unref(void) ENGINE_cleanup(); EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); -#ifdef HAVE_OPENSSL_AUTO_THREAD_DEINIT +#ifdef HAVE_OPENSSL_thread_stop /* no cleanup needed */ -#elif defined(HAVE_OPENSSL_ERR_REMOVE_THREAD_STATE) +#elif defined(HAVE_ERR_remove_thread_state) /* This was marked as deprecated in v1.1. */ ERR_remove_thread_state(NULL); -#else +#elif defined(HAVE_ERR_remove_state) /* This was deprecated by ERR_remove_thread_state(NULL) in v1.0.0. */ ERR_remove_state(0); #endif ERR_free_strings(); -#ifdef HAVE_OPENSSL_CLEANUP +#ifdef HAVE_OPENSSL_cleanup OPENSSL_cleanup(); #endif return FALSE; diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index 9736cb464f..3da5b6af64 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -205,7 +205,7 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert) ret = 0; if (ret != 0) { -#ifdef HAVE_SSL_CTX_SET_CURRENT_CERT +#ifdef HAVE_SSL_CTX_set_current_cert SSL_CTX_select_current_cert(ctx, x); #endif /* If we could set up our certificate, now proceed to @@ -234,7 +234,7 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert) end: if (x != NULL) X509_free(x); BIO_free(in); -#ifdef HAVE_SSL_CTX_SET_CURRENT_CERT +#ifdef HAVE_SSL_CTX_set_current_cert SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); #endif return ret; @@ -412,7 +412,7 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, set->curve_list); return -1; } -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES +#ifdef HAVE_SSL_CTX_set_ciphersuites if (set->ciphersuites != NULL && SSL_CTX_set_ciphersuites(ctx->ssl_ctx, set->ciphersuites) == 0) { *error_r = t_strdup_printf("Can't set ciphersuites to '%s': %s", @@ -434,7 +434,7 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, set->min_protocol); return -1; } -#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION +#ifdef HAVE_SSL_CTX_SET_min_proto_version SSL_CTX_set_min_proto_version(ctx->ssl_ctx, min_protocol); #else SSL_CTX_set_options(ctx->ssl_ctx, opts); diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 3042a3ec37..825967bdb0 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -190,7 +190,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io, return -1; } } -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES +#ifdef HAVE_SSL_CTX_set_ciphersuites if (set->ciphersuites != NULL && strcmp(ctx_set->ciphersuites, set->ciphersuites) != 0) { if (SSL_set_ciphersuites(ssl_io->ssl, set->ciphersuites) == 0) { @@ -204,7 +204,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io, if (set->prefer_server_ciphers) SSL_set_options(ssl_io->ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); if (set->min_protocol != NULL) { -#if defined(HAVE_SSL_CLEAR_OPTIONS) +#if defined(HAVE_SSL_clear_options) SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS); #endif long opts; @@ -216,7 +216,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io, set->min_protocol); return -1; } -#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION +#ifdef HAVE_SSL_CTX_set_min_proto_version SSL_set_min_proto_version(ssl_io->ssl, min_protocol); #else SSL_set_options(ssl_io->ssl, opts); -- 2.47.3