]
)
- AC_MSG_CHECKING([for OpenSSL version >= 1.0.2])
+ AC_MSG_CHECKING([for OpenSSL version >= 1.1.0])
AC_EGREP_CPP(yes,
[#include <openssl/crypto.h>
- #if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
+ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
yes
#endif
],
#include <freeradius-devel/util/sha1.h>
#include <freeradius-devel/tls/base.h>
-#include <freeradius-devel/tls/missing.h>
#include <freeradius-devel/tls/log.h>
#include "tls.h"
#endif
request_t *request, SSL *ssl,
uint8_t **out, uint8_t eap_type,
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
UNUSED
#endif
char const *prf_label,
*out = NULL;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
if (!prf_label) goto random_based_session_id;
switch (SSL_SESSION_get_protocol_version(SSL_get_session(ssl))) {
case TLS1_1_VERSION: /* No Method ID */
case TLS1_2_VERSION: /* No Method ID */
random_based_session_id:
-#endif
MEM(buff = p = talloc_array(ctx, uint8_t, sizeof(eap_type) + (2 * SSL3_RANDOM_SIZE)));
*p++ = eap_type;
}
break;
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
}
-#endif
*out = buff;
return 0;
eap_session->finished = true;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- /*
- * Check session resumption is allowed, disabling it
- * if it's not.
- */
- fr_tls_session_request_bind(tls_session->ssl, request);
- fr_tls_cache_disable_cb(tls_session->ssl, -1);
- fr_tls_session_request_unbind(tls_session->ssl);
-#endif
-
/*
* Build the success packet
*/
.id = "CVE-2016-6304",
.name = "OCSP status request extension",
.comment = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
- },
- {
- .low = Vm(1,0,2,'i'), /* 1.0.2i */
- .high = Vm(1,0,2,'i'), /* 1.0.2i */
- .id = "CVE-2016-7052",
- .name = "OCSP status request extension",
- .comment = "For more information see https://www.openssl.org/news/secadv/20160926.txt"
- },
- {
- .low = VM(1,0,2), /* 1.0.2 */
- .high = Vm(1,0,2,'h'), /* 1.0.2h */
- .id = "CVE-2016-6304",
- .name = "OCSP status request extension",
- .comment = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
- },
+ }
};
#endif /* ENABLE_OPENSSL_VERSION_CHECK */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-/*
- * If we're linking against OpenSSL, then it is the
- * duty of the application, if it is multithreaded,
- * to provide OpenSSL with appropriate thread id
- * and mutex locking functions
- *
- * Note: this only implements static callbacks.
- * OpenSSL does not use dynamic locking callbacks
- * right now, but may in the future, so we will have
- * to add them at some point.
- */
-static pthread_mutex_t *global_mutexes = NULL;
-
-static unsigned long _thread_id(void)
-{
- unsigned long ret;
- pthread_t thread = pthread_self();
-
- if (sizeof(ret) >= sizeof(thread)) {
- memcpy(&ret, &thread, sizeof(thread));
- } else {
- memcpy(&ret, &thread, sizeof(ret));
- }
-
- return ret;
-}
-
-/*
- * Use preprocessor magic to get the right function and argument
- * to use. This avoids ifdef's through the rest of the code.
- */
-static void ssl_id_function(CRYPTO_THREADID *id)
-{
- CRYPTO_THREADID_set_numeric(id, _thread_id());
-}
-#define set_id_callback CRYPTO_THREADID_set_callback
-
-
-static void _global_mutex(int mode, int n, UNUSED char const *file, UNUSED int line)
-{
- if (mode & CRYPTO_LOCK) {
- pthread_mutex_lock(&(global_mutexes[n]));
- } else {
- pthread_mutex_unlock(&(global_mutexes[n]));
- }
-}
-
-/** Free the static mutexes we allocated for OpenSSL
- *
- */
-static int _global_mutexes_free(pthread_mutex_t *mutexes)
-{
- size_t i;
-
- /*
- * Ensure OpenSSL doesn't use the locks
- */
- CRYPTO_set_id_callback(NULL);
- CRYPTO_set_locking_callback(NULL);
-
- /*
- * Destroy all the mutexes
- */
- for (i = 0; i < talloc_array_length(mutexes); i++) pthread_mutex_destroy(&(mutexes[i]));
-
- return 0;
-}
-
-/** OpenSSL uses static mutexes which we need to initialise
- *
- * @note Yes, these really are global.
- *
- * @param ctx to alloc mutexes/array in.
- * @return array of mutexes.
- */
-static pthread_mutex_t *global_mutexes_init(TALLOC_CTX *ctx)
-{
- int i = 0;
- pthread_mutex_t *mutexes;
-
-#define SETUP_CRYPTO_LOCK if (i < CRYPTO_num_locks()) pthread_mutex_init(&(mutexes[i++]), NULL)
-
- mutexes = talloc_array(ctx, pthread_mutex_t, CRYPTO_num_locks());
- if (!mutexes) {
- ERROR("Error allocating memory for OpenSSL mutexes!");
- return NULL;
- }
-
- talloc_set_destructor(mutexes, _global_mutexes_free);
-
- /*
- * Some profiling tools only give us the line the mutex
- * was initialised on. In that case this allows us to
- * see which of the mutexes in the profiling tool relates
- * to which OpenSSL mutex.
- *
- * OpenSSL locks are usually indexed from 1, but just to
- * be sure we initialise index 0 too.
- */
- SETUP_CRYPTO_LOCK; /* UNUSED */
- SETUP_CRYPTO_LOCK; /* 1 - CRYPTO_LOCK_ERR */
- SETUP_CRYPTO_LOCK; /* 2 - CRYPTO_LOCK_EX_DATA */
- SETUP_CRYPTO_LOCK; /* 3 - CRYPTO_LOCK_X509 */
- SETUP_CRYPTO_LOCK; /* 4 - CRYPTO_LOCK_X509_INFO */
- SETUP_CRYPTO_LOCK; /* 5 - CRYPTO_LOCK_X509_PKEY */
- SETUP_CRYPTO_LOCK; /* 6 - CRYPTO_LOCK_X509_CRL */
- SETUP_CRYPTO_LOCK; /* 7 - CRYPTO_LOCK_X509_REQ */
- SETUP_CRYPTO_LOCK; /* 8 - CRYPTO_LOCK_DSA */
- SETUP_CRYPTO_LOCK; /* 9 - CRYPTO_LOCK_RSA */
- SETUP_CRYPTO_LOCK; /* 10 - CRYPTO_LOCK_EVP_PKEY */
- SETUP_CRYPTO_LOCK; /* 11 - CRYPTO_LOCK_X509_STORE */
- SETUP_CRYPTO_LOCK; /* 12 - CRYPTO_LOCK_SSL_CTX */
- SETUP_CRYPTO_LOCK; /* 13 - CRYPTO_LOCK_SSL_CERT */
- SETUP_CRYPTO_LOCK; /* 14 - CRYPTO_LOCK_SSL_SESSION */
- SETUP_CRYPTO_LOCK; /* 15 - CRYPTO_LOCK_SSL_SESS_CERT */
- SETUP_CRYPTO_LOCK; /* 16 - CRYPTO_LOCK_SSL */
- SETUP_CRYPTO_LOCK; /* 17 - CRYPTO_LOCK_SSL_METHOD */
- SETUP_CRYPTO_LOCK; /* 18 - CRYPTO_LOCK_RAND */
- SETUP_CRYPTO_LOCK; /* 19 - CRYPTO_LOCK_RAND2 */
- SETUP_CRYPTO_LOCK; /* 20 - CRYPTO_LOCK_MALLOC */
- SETUP_CRYPTO_LOCK; /* 21 - CRYPTO_LOCK_BIO */
- SETUP_CRYPTO_LOCK; /* 22 - CRYPTO_LOCK_GETHOSTBYNAME */
- SETUP_CRYPTO_LOCK; /* 23 - CRYPTO_LOCK_GETSERVBYNAME */
- SETUP_CRYPTO_LOCK; /* 24 - CRYPTO_LOCK_READDIR */
- SETUP_CRYPTO_LOCK; /* 25 - CRYPTO_LOCRYPTO_LOCK_RSA_BLINDING */
- SETUP_CRYPTO_LOCK; /* 26 - CRYPTO_LOCK_DH */
- SETUP_CRYPTO_LOCK; /* 27 - CRYPTO_LOCK_MALLOC2 */
- SETUP_CRYPTO_LOCK; /* 28 - CRYPTO_LOCK_DSO */
- SETUP_CRYPTO_LOCK; /* 29 - CRYPTO_LOCK_DYNLOCK */
- SETUP_CRYPTO_LOCK; /* 30 - CRYPTO_LOCK_ENGINE */
- SETUP_CRYPTO_LOCK; /* 31 - CRYPTO_LOCK_UI */
- SETUP_CRYPTO_LOCK; /* 32 - CRYPTO_LOCK_ECDSA */
- SETUP_CRYPTO_LOCK; /* 33 - CRYPTO_LOCK_EC */
- SETUP_CRYPTO_LOCK; /* 34 - CRYPTO_LOCK_ECDH */
- SETUP_CRYPTO_LOCK; /* 35 - CRYPTO_LOCK_BN */
- SETUP_CRYPTO_LOCK; /* 36 - CRYPTO_LOCK_EC_PRE_COMP */
- SETUP_CRYPTO_LOCK; /* 37 - CRYPTO_LOCK_STORE */
- SETUP_CRYPTO_LOCK; /* 38 - CRYPTO_LOCK_COMP */
- SETUP_CRYPTO_LOCK; /* 39 - CRYPTO_LOCK_FIPS */
- SETUP_CRYPTO_LOCK; /* 40 - CRYPTO_LOCK_FIPS2 */
-
- /*
- * Incase more are added *sigh*
- */
- while (i < CRYPTO_num_locks()) SETUP_CRYPTO_LOCK;
-
- set_id_callback(ssl_id_function);
- CRYPTO_set_locking_callback(_global_mutex);
-
- return mutexes;
-}
-#endif
-
#ifdef ENABLE_OPENSSL_VERSION_CHECK
/** Check for vulnerable versions of libssl
*
* @param len to alloc.
* @return realloc.
*/
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
static void *fr_openssl_talloc(size_t len, UNUSED char const *file, UNUSED int line)
-#else
-static void *fr_openssl_talloc(size_t len)
-#endif
{
return talloc_array(ssl_talloc_ctx, uint8_t, len);
}
* @param len to extend to.
* @return realloced memory.
*/
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
static void *fr_openssl_talloc_realloc(void *old, size_t len, UNUSED char const *file, UNUSED int line)
-#else
-static void *fr_openssl_talloc_realloc(void *old, size_t len)
-#endif
{
return talloc_realloc_size(ssl_talloc_ctx, old, len);
}
*
* @param to_free memory to free.
*/
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
#ifdef NDEBUG
/*
* If we're not debugging, use only the filename. Otherwise the
(void)_talloc_free(to_free, buffer);
}
#endif
-#else
-static void fr_openssl_talloc_free(void *to_free)
-{
- (void)talloc_free(to_free);
-}
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-void fr_openssl_free(void)
-{
- if (--instance_count > 0) return;
-
- /*
- * If we linked with OpenSSL, the application
- * must remove the thread's error queue before
- * exiting to prevent memory leaks.
- */
- ERR_remove_thread_state(NULL);
-
- fr_tls_engine_free_all();
-
- CONF_modules_unload(1);
-
- ERR_free_strings();
-
- EVP_cleanup();
-
- CRYPTO_cleanup_all_ex_data();
-
- TALLOC_FREE(global_mutexes);
-
- fr_dict_autofree(tls_dict);
-
- fr_tls_log_free();
-}
-#else
/** Free any memory alloced by libssl
*
* OpenSSL >= 1.1.0 uses an atexit handler to automatically free
fr_tls_log_free();
}
-#endif
/** Add all the default ciphers and message digests to our context.
*
return -1;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- SSL_load_error_strings(); /* Readable error messages (examples show call before library_init) */
- SSL_library_init(); /* Initialize library */
- OpenSSL_add_all_algorithms(); /* Required for SHA2 in OpenSSL < 0.9.8o and 1.0.0.a */
-# ifdef HAVE_OPENSSL_EVP_SHA256
/*
* SHA256 is in all versions of OpenSSL, but isn't
* initialized by default. It's needed for WiMAX
* certificates.
*/
EVP_add_digest(EVP_sha256());
-# endif
- /*
- * If we're linking with OpenSSL too, then we need
- * to set up the mutexes and enable the thread callbacks.
- */
- global_mutexes = global_mutexes_init(NULL);
- if (!global_mutexes) {
- ERROR("Failed to set up SSL mutexes");
- fr_openssl_free();
- return -1;
- }
- OPENSSL_config(NULL);
-#else
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
-#endif
/*
* FIXME - This should be done _after_
#include "base.h"
#include "cache.h"
#include "log.h"
-#include "missing.h"
#include "validate.h"
/** Retrieve session ID (in binary form) from the session
* - NULL on error.
*/
static SSL_SESSION *tls_cache_load_cb(SSL *ssl,
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
unsigned char const *key,
-#else
- unsigned char *key,
-#endif
int key_len, int *copy)
{
fr_tls_session_t *tls_session;
* - 0 if session-resumption is allowed.
* - 1 if enabling session-resumption was disabled for this session.
*/
-int fr_tls_cache_disable_cb(SSL *ssl,
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- UNUSED
-#endif
- int is_forward_secure)
+int fr_tls_cache_disable_cb(SSL *ssl, int is_forward_secure)
{
request_t *request;
tls_session = talloc_get_type_abort(SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_TLS_SESSION), fr_tls_session_t);
request = fr_tls_session_request(tls_session->ssl);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
{
fr_tls_conf_t *conf;
goto disable;
}
}
-#endif
/*
* If there's no session resumption, delete the entry
break;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
SSL_CTX_set_not_resumable_session_callback(ctx, fr_tls_cache_disable_cb);
-#endif
SSL_CTX_set_quiet_shutdown(ctx, 1);
return 0;
#include "base.h"
#include "log.h"
-#include "missing.h"
/** Certificate formats
*
#include <openssl/dh.h>
#include "base.h"
-#include "missing.h"
#include "log.h"
#ifndef OPENSSL_NO_ECDH
* at the cost of the server occasionally
* crashing on exit.
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- FR_OPENSSL_BIND_OBJ_MEMORY(ctx = SSL_CTX_new(SSLv23_method())); /* which is really "all known SSL / TLS methods". Idiots. */
-#else
ctx = SSL_CTX_new(SSLv23_method());
-#endif
if (!ctx) {
fr_tls_log_error(NULL, "Failed creating TLS context");
return NULL;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- /*
- * Bind any other memory to the ctx to fix
- * leaks on exit.
- */
- FR_OPENSSL_BIND_MEMORY_BEGIN(ctx);
-#endif
-
/*
* Save the config on the context so that callbacks which
* only get SSL_CTX* e.g. session persistence, can get at it.
if (!*conf->psk_query) {
ERROR("Invalid PSK Configuration: psk_query cannot be empty");
error:
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- FR_OPENSSL_BIND_MEMORY_END;
-#endif
SSL_CTX_free(ctx);
return NULL;
}
*/
if (conf->dh_file && (ctx_dh_params_load(ctx, UNCONST(char *, conf->dh_file)) < 0)) goto error;
- /*
- * We're done configuring the ctx.
- */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- FR_OPENSSL_BIND_MEMORY_END;
-#endif
-
/*
* Setup session caching
*/
#include <freeradius-devel/util/debug.h>
#include "log.h"
-#include "missing.h"
/** Holds the state of a log BIO
*
+++ /dev/null
-#pragma once
-/*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
- */
-#include <openssl/opensslv.h>
-#include <openssl/ssl.h>
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-# define EVP_MD_CTX_new EVP_MD_CTX_create
-# define EVP_MD_CTX_free EVP_MD_CTX_destroy
-# define EVP_MD_CTX_reset EVP_MD_CTX_cleanup
-
-static inline HMAC_CTX *HMAC_CTX_new(void)
-{
- HMAC_CTX *ctx;
-
- ctx = OPENSSL_malloc(sizeof(*ctx)); /* Between HMAC_ctx_init and HMAC_init everything is zeroed */
- if (!ctx) return NULL;
-
- HMAC_CTX_init(ctx);
- return ctx;
-}
-
-static inline void HMAC_CTX_free(HMAC_CTX *ctx)
-{
- if (ctx == NULL) return;
- HMAC_CTX_cleanup(ctx);
- OPENSSL_free(ctx);
-}
-
-static inline int HMAC_CTX_reset(HMAC_CTX *ctx)
-{
- if (!ctx) return 0;
-
- HMAC_CTX_cleanup(ctx);
-
- return 1;
-}
-
-/*
- * OpenSSL compatibility, to avoid ifdef's through the rest of the code.
- */
-static inline size_t SSL_get_client_random(const SSL *s, unsigned char *out, size_t outlen)
-{
- if (!outlen) return sizeof(s->s3->client_random);
-
- if (outlen > sizeof(s->s3->client_random)) outlen = sizeof(s->s3->client_random);
-
- memcpy(out, s->s3->client_random, outlen);
- return outlen;
-}
-
-static inline size_t SSL_get_server_random(const SSL *s, unsigned char *out, size_t outlen)
-{
- if (!outlen) return sizeof(s->s3->server_random);
-
- if (outlen > sizeof(s->s3->server_random)) outlen = sizeof(s->s3->server_random);
-
- memcpy(out, s->s3->server_random, outlen);
- return outlen;
-}
-
-static inline size_t SSL_SESSION_get_master_key(const SSL_SESSION *s, unsigned char *out, size_t outlen)
-{
- if (!outlen) return s->master_key_length;
-
- if (outlen > (size_t)s->master_key_length) outlen = (size_t)s->master_key_length;
-
- memcpy(out, s->master_key, outlen);
- return outlen;
-}
-#endif
char **identity;
int attr_index, loc;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
STACK_OF(X509_EXTENSION) const *ext_list = NULL;
-#else
- STACK_OF(X509_EXTENSION) *ext_list = NULL;
-#endif
-
ASN1_INTEGER *sn = NULL;
ASN1_TIME *asn_time = NULL;
switch (name->type) {
#ifdef GEN_EMAIL
case GEN_EMAIL: {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
char const *rfc822Name = (char const *)ASN1_STRING_get0_data(name->d.rfc822Name);
-#else
- char *rfc822Name = (char *)ASN1_STRING_data(name->d.rfc822Name);
-#endif
-
CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_EMAIL, attr_index, rfc822Name);
break;
}
#endif /* GEN_EMAIL */
#ifdef GEN_DNS
- case GEN_DNS: {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ case GEN_DNS:
+ {
char const *dNSName = (char const *)ASN1_STRING_get0_data(name->d.dNSName);
-#else
- char *dNSName = (char *)ASN1_STRING_data(name->d.dNSName);
-#endif
CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_DNS, attr_index, dNSName);
break;
}
* Only add extensions for the actual client certificate
*/
if (attr_index == 0) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
ext_list = X509_get0_extensions(cert);
-#else
- ext_list = cert->cert_info->extensions;
-#endif
/*
* Grab the X509 extensions, and create attributes out of them.
#include "attrs.h"
#include "base.h"
#include "log.h"
-#include "missing.h"
static char const *tls_version_str[] = {
[SSL2_VERSION] = "SSL 2.0",
RDEBUG3("Handshake state [%.*s] - %s%s", (int)len, abbrv, role, state);
-#if defined(OPENSSL_NO_SSL_TRACE) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#ifdef OPENSSL_NO_SSL_TRACE
{
STACK_OF(SSL_CIPHER) *server_ciphers;
STACK_OF(SSL_CIPHER) *client_ciphers;
#include <freeradius-devel/server/base.h>
#include "base.h"
-#include "missing.h"
/** PKEY types (friendly names)
*
{
const EVP_CIPHER *c;
const EVP_MD *h;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- int md_size;
-
- if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL || ssl->read_hash == NULL)
- return -1;
-
- c = ssl->enc_read_ctx->cipher;
- h = EVP_MD_CTX_md(ssl->read_hash);
- if (h)
- md_size = EVP_MD_size(h);
- else if (ssl->s3)
- md_size = ssl->s3->tmp.new_mac_secret_size;
- else
- return -1;
-
- RDEBUG2("OpenSSL: keyblock size: key_len=%d MD_size=%d "
- "IV_len=%d", EVP_CIPHER_key_length(c), md_size,
- EVP_CIPHER_iv_length(c));
- return 2 * (EVP_CIPHER_key_length(c) +
- md_size +
- EVP_CIPHER_iv_length(c));
-#else
const SSL_CIPHER *ssl_cipher;
int cipher, digest;
EVP_CIPHER_iv_length(c));
return 2 * (EVP_CIPHER_key_length(c) + EVP_MD_size(h) +
EVP_CIPHER_iv_length(c));
-#endif
}
/** Convert OpenSSL's ASN1_TIME to an epoch time
#include "attrs.h"
#include "base.h"
-#include "missing.h"
DIAG_OFF(DIAG_UNKNOWN_PRAGMAS)
DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */
* 3. Verify that the certificate has not been revoked by its issuing Certificate
* Authority, by checking with respect to a Certificate Revocation List (CRL).
*
- * 4. Verify that the credentials presented by the certificate fulfill additional
- * requirements specific to the application, such as with respect to access control
- * lists or with respect to OCSP (Online Certificate Status Processing).
- *
* @note This callback will be called multiple times based on the depth of the root
* certificate chain.
*
STACK_OF(X509) *our_chain = X509_STORE_CTX_get_chain(x509_ctx);
int i;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
RDEBUG3("Certificate chain - %i cert(s) untrusted", X509_STORE_CTX_get_num_untrusted(x509_ctx));
-#else
- RDEBUG3("Certificate chain");
-#endif
-
for (i = sk_X509_num(our_chain); i > 0 ; i--) {
X509 *this_cert = sk_X509_value(our_chain, i - 1);
EVP_MD_XLAT(sha2_384, sha384)
EVP_MD_XLAT(sha2_512, sha512)
-# if OPENSSL_VERSION_NUMBER >= 0x10100000L
EVP_MD_XLAT(blake2s_256, blake2s256)
EVP_MD_XLAT(blake2b_512, blake2b512)
-# endif
# if OPENSSL_VERSION_NUMBER >= 0x10101000L
EVP_MD_XLAT(sha3_224, sha3_224)
XLAT_REGISTER_MONO("sha2_384", xlat_func_sha2_384, xlat_func_sha_arg);
XLAT_REGISTER_MONO("sha2_512", xlat_func_sha2_512, xlat_func_sha_arg);
-# if OPENSSL_VERSION_NUMBER >= 0x10100000L
XLAT_REGISTER_MONO("blake2s_256", xlat_func_blake2s_256, xlat_func_sha_arg);
XLAT_REGISTER_MONO("blake2b_512", xlat_func_blake2b_512, xlat_func_sha_arg);
-# endif
# if OPENSSL_VERSION_NUMBER >= 0x10101000L
XLAT_REGISTER_MONO("sha3_224", xlat_func_sha3_224, xlat_func_sha_arg);
#ifdef HAVE_OPENSSL_EVP_H
# include <openssl/hmac.h>
-# include <freeradius-devel/tls/missing.h>
static _Thread_local HMAC_CTX *md5_hmac_ctx;
#ifdef HAVE_OPENSSL_EVP_H
# include <openssl/hmac.h>
-# include <freeradius-devel/tls/missing.h>
static _Thread_local HMAC_CTX *sha1_hmac_ctx;
# include <openssl/evp.h>
# include <openssl/crypto.h>
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-# define EVP_MD_CTX_new EVP_MD_CTX_create
-# define EVP_MD_CTX_free EVP_MD_CTX_destroy
-# define EVP_MD_CTX_reset EVP_MD_CTX_cleanup
-#endif
-
static int have_openssl_md4 = -1;
static void _md4_ctx_openssl_free_on_exit(void *arg)
# include <openssl/evp.h>
# include <openssl/crypto.h>
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-# define EVP_MD_CTX_new EVP_MD_CTX_create
-# define EVP_MD_CTX_free EVP_MD_CTX_destroy
-# define EVP_MD_CTX_reset EVP_MD_CTX_cleanup
-#endif
-
static int have_openssl_md5 = -1;
static void _md5_ctx_openssl_free_on_exit(void *arg)
*/
RCSIDH(eap_fast_crypto_h, "$Id$")
-#include <freeradius-devel/tls/missing.h>
-
void T_PRF(unsigned char const *secret, unsigned int secret_len, char const *prf_label, unsigned char const *seed, unsigned int seed_len, unsigned char *out, unsigned int out_len) CC_HINT(nonnull(1,3,6));
int eap_fast_encrypt(uint8_t const *plaintext, size_t plaintext_len,
*secret_len = SSL_MAX_MASTER_KEY_LENGTH;
}
-// hostap:src/crypto/tls_openssl.c:tls_sess_sec_cb()
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-static int _session_secret(SSL *s, void *secret, int *secret_len,
- UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers,
- UNUSED SSL_CIPHER **cipher, void *arg)
-#else
static int _session_secret(SSL *s, void *secret, int *secret_len,
UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers,
UNUSED SSL_CIPHER const **cipher, void *arg)
-#endif
{
// FIXME enforce non-anon cipher
#include <freeradius-devel/server/base.h>
#include <freeradius-devel/tls/base.h>
-#include <freeradius-devel/tls/missing.h>
#include <freeradius-devel/server/module.h>
#include "eap_pwd.h"
#include "attrs.h"
#include "base.h"
#include "log.h"
-#include "missing.h"
/** Rcodes returned by the OCSP check function
*/
goto error;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10102000L
if (SSL_get0_chain_certs(ssl, &our_chain) == 0) {
-#else
+
/*
* Ignore the return code for older versions of
* OpenSSL.
#include <freeradius-devel/server/base.h>
#include <freeradius-devel/server/module.h>
#include <freeradius-devel/tls/base.h>
-#include <freeradius-devel/tls/missing.h>
#include <freeradius-devel/util/base16.h>
/*