]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
Remove support for OpenSSL < 1.1.0
authorArran Cudbard-Bell <a.cudbardb@freeradius.org>
Fri, 18 Jun 2021 00:20:05 +0000 (19:20 -0500)
committerArran Cudbard-Bell <a.cudbardb@freeradius.org>
Fri, 18 Jun 2021 00:26:13 +0000 (19:26 -0500)
We need 1.1.0 for async support

23 files changed:
configure.ac
src/lib/eap/crypto.c
src/lib/eap/tls.c
src/lib/tls/base.c
src/lib/tls/cache.c
src/lib/tls/conf.c
src/lib/tls/ctx.c
src/lib/tls/log.c
src/lib/tls/missing.h [deleted file]
src/lib/tls/pairs.c
src/lib/tls/session.c
src/lib/tls/utils.c
src/lib/tls/validate.c
src/lib/unlang/xlat_builtin.c
src/lib/util/hmac_md5.c
src/lib/util/hmac_sha1.c
src/lib/util/md4.c
src/lib/util/md5.c
src/modules/rlm_eap/types/rlm_eap_fast/eap_fast_crypto.h
src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
src/modules/rlm_ocsp/ocsp.c
src/modules/rlm_wimax/rlm_wimax.c

index fff143349751a92277d1d68f12d6d23cd132ac1b..0d4e917128b94c0a2390fd56fea7ae1611248407 100644 (file)
@@ -1199,10 +1199,10 @@ if test "x$WITH_OPENSSL" = xyes; then
       ]
     )
 
-    AC_MSG_CHECKING([for OpenSSL version >= 1.0.2])
+    AC_MSG_CHECKING([for OpenSSL version >= 1.1.0])
     AC_EGREP_CPP(yes,
       [#include <openssl/crypto.h>
-       #if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
+       #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
        yes
        #endif
       ],
index d9214f0811778064aa3f2bf5601c5d812a811535..ea4240fbdf6def448af0f8a021c72cf0cabe34f4 100644 (file)
@@ -36,7 +36,6 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 
 #include <freeradius-devel/util/sha1.h>
 #include <freeradius-devel/tls/base.h>
-#include <freeradius-devel/tls/missing.h>
 #include <freeradius-devel/tls/log.h>
 
 #include "tls.h"
@@ -94,7 +93,7 @@ int eap_crypto_tls_session_id(TALLOC_CTX *ctx,
 #endif
                              request_t *request, SSL *ssl,
                              uint8_t **out, uint8_t eap_type,
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
                              UNUSED
 #endif
                              char const *prf_label,
@@ -107,7 +106,6 @@ int eap_crypto_tls_session_id(TALLOC_CTX *ctx,
 
        *out = NULL;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
        if (!prf_label) goto random_based_session_id;
 
        switch (SSL_SESSION_get_protocol_version(SSL_get_session(ssl))) {
@@ -119,7 +117,6 @@ int eap_crypto_tls_session_id(TALLOC_CTX *ctx,
        case TLS1_1_VERSION:    /* No Method ID */
        case TLS1_2_VERSION:    /* No Method ID */
        random_based_session_id:
-#endif
                MEM(buff = p = talloc_array(ctx, uint8_t, sizeof(eap_type) + (2 * SSL3_RANDOM_SIZE)));
                *p++ = eap_type;
 
@@ -145,9 +142,7 @@ int eap_crypto_tls_session_id(TALLOC_CTX *ctx,
        }
                break;
 #endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
        }
-#endif
        *out = buff;
 
        return 0;
index 087ae883ed830eef9a25ebfefc64b95d3d5a4457..b9853ef7e9685ac8b77800734a3e14e6006b421b 100644 (file)
@@ -275,16 +275,6 @@ int eap_tls_success(request_t *request, eap_session_t *eap_session,
 
        eap_session->finished = true;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       /*
-        *      Check session resumption is allowed, disabling it
-        *      if it's not.
-        */
-       fr_tls_session_request_bind(tls_session->ssl, request);
-       fr_tls_cache_disable_cb(tls_session->ssl, -1);
-       fr_tls_session_request_unbind(tls_session->ssl);
-#endif
-
        /*
         *      Build the success packet
         */
index b790bf89dbefa3574694da38adbc033e1e57d2d3..89f8902299bbb7e648aa27a6a9042eec60b519ab 100644 (file)
@@ -207,178 +207,10 @@ static fr_openssl_defect_t fr_openssl_defects[] =
                .id             = "CVE-2016-6304",
                .name           = "OCSP status request extension",
                .comment        = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
-       },
-       {
-               .low            = Vm(1,0,2,'i'),                /* 1.0.2i */
-               .high           = Vm(1,0,2,'i'),                /* 1.0.2i */
-               .id             = "CVE-2016-7052",
-               .name           = "OCSP status request extension",
-               .comment        = "For more information see https://www.openssl.org/news/secadv/20160926.txt"
-       },
-       {
-               .low            = VM(1,0,2),                    /* 1.0.2  */
-               .high           = Vm(1,0,2,'h'),                /* 1.0.2h */
-               .id             = "CVE-2016-6304",
-               .name           = "OCSP status request extension",
-               .comment        = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
-       },
+       }
 };
 #endif /* ENABLE_OPENSSL_VERSION_CHECK */
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-/*
- *     If we're linking against OpenSSL, then it is the
- *     duty of the application, if it is multithreaded,
- *     to provide OpenSSL with appropriate thread id
- *     and mutex locking functions
- *
- *     Note: this only implements static callbacks.
- *     OpenSSL does not use dynamic locking callbacks
- *     right now, but may in the future, so we will have
- *     to add them at some point.
- */
-static pthread_mutex_t *global_mutexes = NULL;
-
-static unsigned long _thread_id(void)
-{
-       unsigned long ret;
-       pthread_t thread = pthread_self();
-
-       if (sizeof(ret) >= sizeof(thread)) {
-               memcpy(&ret, &thread, sizeof(thread));
-       } else {
-               memcpy(&ret, &thread, sizeof(ret));
-       }
-
-       return ret;
-}
-
-/*
- *     Use preprocessor magic to get the right function and argument
- *     to use.  This avoids ifdef's through the rest of the code.
- */
-static void ssl_id_function(CRYPTO_THREADID *id)
-{
-       CRYPTO_THREADID_set_numeric(id, _thread_id());
-}
-#define set_id_callback CRYPTO_THREADID_set_callback
-
-
-static void _global_mutex(int mode, int n, UNUSED char const *file, UNUSED int line)
-{
-       if (mode & CRYPTO_LOCK) {
-               pthread_mutex_lock(&(global_mutexes[n]));
-       } else {
-               pthread_mutex_unlock(&(global_mutexes[n]));
-       }
-}
-
-/** Free the static mutexes we allocated for OpenSSL
- *
- */
-static int _global_mutexes_free(pthread_mutex_t *mutexes)
-{
-       size_t i;
-
-       /*
-        *      Ensure OpenSSL doesn't use the locks
-        */
-       CRYPTO_set_id_callback(NULL);
-       CRYPTO_set_locking_callback(NULL);
-
-       /*
-        *      Destroy all the mutexes
-        */
-       for (i = 0; i < talloc_array_length(mutexes); i++) pthread_mutex_destroy(&(mutexes[i]));
-
-       return 0;
-}
-
-/** OpenSSL uses static mutexes which we need to initialise
- *
- * @note Yes, these really are global.
- *
- * @param ctx to alloc mutexes/array in.
- * @return array of mutexes.
- */
-static pthread_mutex_t *global_mutexes_init(TALLOC_CTX *ctx)
-{
-       int i = 0;
-       pthread_mutex_t *mutexes;
-
-#define SETUP_CRYPTO_LOCK if (i < CRYPTO_num_locks()) pthread_mutex_init(&(mutexes[i++]), NULL)
-
-       mutexes = talloc_array(ctx, pthread_mutex_t, CRYPTO_num_locks());
-       if (!mutexes) {
-               ERROR("Error allocating memory for OpenSSL mutexes!");
-               return NULL;
-       }
-
-       talloc_set_destructor(mutexes, _global_mutexes_free);
-
-       /*
-        *      Some profiling tools only give us the line the mutex
-        *      was initialised on.  In that case this allows us to
-        *      see which of the mutexes in the profiling tool relates
-        *      to which OpenSSL mutex.
-        *
-        *      OpenSSL locks are usually indexed from 1, but just to
-        *      be sure we initialise index 0 too.
-        */
-       SETUP_CRYPTO_LOCK; /* UNUSED */
-       SETUP_CRYPTO_LOCK; /* 1  - CRYPTO_LOCK_ERR */
-       SETUP_CRYPTO_LOCK; /* 2  - CRYPTO_LOCK_EX_DATA */
-       SETUP_CRYPTO_LOCK; /* 3  - CRYPTO_LOCK_X509 */
-       SETUP_CRYPTO_LOCK; /* 4  - CRYPTO_LOCK_X509_INFO */
-       SETUP_CRYPTO_LOCK; /* 5  - CRYPTO_LOCK_X509_PKEY */
-       SETUP_CRYPTO_LOCK; /* 6  - CRYPTO_LOCK_X509_CRL */
-       SETUP_CRYPTO_LOCK; /* 7  - CRYPTO_LOCK_X509_REQ */
-       SETUP_CRYPTO_LOCK; /* 8  - CRYPTO_LOCK_DSA */
-       SETUP_CRYPTO_LOCK; /* 9  - CRYPTO_LOCK_RSA */
-       SETUP_CRYPTO_LOCK; /* 10 - CRYPTO_LOCK_EVP_PKEY */
-       SETUP_CRYPTO_LOCK; /* 11 - CRYPTO_LOCK_X509_STORE */
-       SETUP_CRYPTO_LOCK; /* 12 - CRYPTO_LOCK_SSL_CTX */
-       SETUP_CRYPTO_LOCK; /* 13 - CRYPTO_LOCK_SSL_CERT */
-       SETUP_CRYPTO_LOCK; /* 14 - CRYPTO_LOCK_SSL_SESSION */
-       SETUP_CRYPTO_LOCK; /* 15 - CRYPTO_LOCK_SSL_SESS_CERT */
-       SETUP_CRYPTO_LOCK; /* 16 - CRYPTO_LOCK_SSL */
-       SETUP_CRYPTO_LOCK; /* 17 - CRYPTO_LOCK_SSL_METHOD */
-       SETUP_CRYPTO_LOCK; /* 18 - CRYPTO_LOCK_RAND */
-       SETUP_CRYPTO_LOCK; /* 19 - CRYPTO_LOCK_RAND2 */
-       SETUP_CRYPTO_LOCK; /* 20 - CRYPTO_LOCK_MALLOC */
-       SETUP_CRYPTO_LOCK; /* 21 - CRYPTO_LOCK_BIO  */
-       SETUP_CRYPTO_LOCK; /* 22 - CRYPTO_LOCK_GETHOSTBYNAME */
-       SETUP_CRYPTO_LOCK; /* 23 - CRYPTO_LOCK_GETSERVBYNAME */
-       SETUP_CRYPTO_LOCK; /* 24 - CRYPTO_LOCK_READDIR */
-       SETUP_CRYPTO_LOCK; /* 25 - CRYPTO_LOCRYPTO_LOCK_RSA_BLINDING */
-       SETUP_CRYPTO_LOCK; /* 26 - CRYPTO_LOCK_DH */
-       SETUP_CRYPTO_LOCK; /* 27 - CRYPTO_LOCK_MALLOC2  */
-       SETUP_CRYPTO_LOCK; /* 28 - CRYPTO_LOCK_DSO */
-       SETUP_CRYPTO_LOCK; /* 29 - CRYPTO_LOCK_DYNLOCK */
-       SETUP_CRYPTO_LOCK; /* 30 - CRYPTO_LOCK_ENGINE */
-       SETUP_CRYPTO_LOCK; /* 31 - CRYPTO_LOCK_UI */
-       SETUP_CRYPTO_LOCK; /* 32 - CRYPTO_LOCK_ECDSA */
-       SETUP_CRYPTO_LOCK; /* 33 - CRYPTO_LOCK_EC */
-       SETUP_CRYPTO_LOCK; /* 34 - CRYPTO_LOCK_ECDH */
-       SETUP_CRYPTO_LOCK; /* 35 - CRYPTO_LOCK_BN */
-       SETUP_CRYPTO_LOCK; /* 36 - CRYPTO_LOCK_EC_PRE_COMP */
-       SETUP_CRYPTO_LOCK; /* 37 - CRYPTO_LOCK_STORE */
-       SETUP_CRYPTO_LOCK; /* 38 - CRYPTO_LOCK_COMP */
-       SETUP_CRYPTO_LOCK; /* 39 - CRYPTO_LOCK_FIPS  */
-       SETUP_CRYPTO_LOCK; /* 40 - CRYPTO_LOCK_FIPS2 */
-
-       /*
-        *      Incase more are added *sigh*
-        */
-       while (i < CRYPTO_num_locks()) SETUP_CRYPTO_LOCK;
-
-       set_id_callback(ssl_id_function);
-       CRYPTO_set_locking_callback(_global_mutex);
-
-       return mutexes;
-}
-#endif
-
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
 /** Check for vulnerable versions of libssl
  *
@@ -441,11 +273,7 @@ int fr_openssl_version_check(char const *acknowledged)
  * @param len to alloc.
  * @return realloc.
  */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 static void *fr_openssl_talloc(size_t len, UNUSED char const *file, UNUSED int line)
-#else
-static void *fr_openssl_talloc(size_t len)
-#endif
 {
        return talloc_array(ssl_talloc_ctx, uint8_t, len);
 }
@@ -456,11 +284,7 @@ static void *fr_openssl_talloc(size_t len)
  * @param len to extend to.
  * @return realloced memory.
  */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 static void *fr_openssl_talloc_realloc(void *old, size_t len, UNUSED char const *file, UNUSED int line)
-#else
-static void *fr_openssl_talloc_realloc(void *old, size_t len)
-#endif
 {
        return talloc_realloc_size(ssl_talloc_ctx, old, len);
 }
@@ -469,7 +293,6 @@ static void *fr_openssl_talloc_realloc(void *old, size_t len)
  *
  * @param to_free memory to free.
  */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 #ifdef NDEBUG
 /*
  *     If we're not debugging, use only the filename.  Otherwise the
@@ -488,42 +311,7 @@ static void fr_openssl_talloc_free(void *to_free, char const *file, int line)
        (void)_talloc_free(to_free, buffer);
 }
 #endif
-#else
-static void fr_openssl_talloc_free(void *to_free)
-{
-       (void)talloc_free(to_free);
-}
-#endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-void fr_openssl_free(void)
-{
-       if (--instance_count > 0) return;
-
-       /*
-        *      If we linked with OpenSSL, the application
-        *      must remove the thread's error queue before
-        *      exiting to prevent memory leaks.
-        */
-       ERR_remove_thread_state(NULL);
-
-       fr_tls_engine_free_all();
-
-       CONF_modules_unload(1);
-
-       ERR_free_strings();
-
-       EVP_cleanup();
-
-       CRYPTO_cleanup_all_ex_data();
-
-       TALLOC_FREE(global_mutexes);
-
-       fr_dict_autofree(tls_dict);
-
-       fr_tls_log_free();
-}
-#else
 /** Free any memory alloced by libssl
  *
  * OpenSSL >= 1.1.0 uses an atexit handler to automatically free
@@ -543,7 +331,6 @@ void fr_openssl_free(void)
 
        fr_tls_log_free();
 }
-#endif
 
 /** Add all the default ciphers and message digests to our context.
  *
@@ -566,33 +353,14 @@ int fr_openssl_init(void)
                return -1;
        }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       SSL_load_error_strings();       /* Readable error messages (examples show call before library_init) */
-       SSL_library_init();             /* Initialize library */
-       OpenSSL_add_all_algorithms();   /* Required for SHA2 in OpenSSL < 0.9.8o and 1.0.0.a */
-#  ifdef HAVE_OPENSSL_EVP_SHA256
        /*
         *      SHA256 is in all versions of OpenSSL, but isn't
         *      initialized by default.  It's needed for WiMAX
         *      certificates.
         */
        EVP_add_digest(EVP_sha256());
-#  endif
-       /*
-        *      If we're linking with OpenSSL too, then we need
-        *      to set up the mutexes and enable the thread callbacks.
-        */
-       global_mutexes = global_mutexes_init(NULL);
-       if (!global_mutexes) {
-               ERROR("Failed to set up SSL mutexes");
-               fr_openssl_free();
-               return -1;
-       }
 
-       OPENSSL_config(NULL);
-#else
        OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
-#endif
 
        /*
         *      FIXME - This should be done _after_
index 3a50ec0516ad95c988b0ff1dea5de55a1c4ec7aa..59723b5143540ced7904ad4a17e515f0d99c824e 100644 (file)
@@ -39,7 +39,6 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 #include "base.h"
 #include "cache.h"
 #include "log.h"
-#include "missing.h"
 #include "validate.h"
 
 /** Retrieve session ID (in binary form) from the session
@@ -501,11 +500,7 @@ static int tls_cache_store_cb(SSL *ssl, SSL_SESSION *sess)
  *     - NULL on error.
  */
 static SSL_SESSION *tls_cache_load_cb(SSL *ssl,
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
                                      unsigned char const *key,
-#else
-                                     unsigned char *key,
-#endif
                                      int key_len, int *copy)
 {
        fr_tls_session_t        *tls_session;
@@ -619,11 +614,7 @@ static void tls_cache_delete_cb(UNUSED SSL_CTX *ctx, SSL_SESSION *sess)
  *     - 0 if session-resumption is allowed.
  *     - 1 if enabling session-resumption was disabled for this session.
  */
-int fr_tls_cache_disable_cb(SSL *ssl,
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-                           UNUSED
-#endif
-                           int is_forward_secure)
+int fr_tls_cache_disable_cb(SSL *ssl, int is_forward_secure)
 {
        request_t               *request;
 
@@ -633,7 +624,6 @@ int fr_tls_cache_disable_cb(SSL *ssl,
        tls_session = talloc_get_type_abort(SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_TLS_SESSION), fr_tls_session_t);
        request = fr_tls_session_request(tls_session->ssl);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
        {
                fr_tls_conf_t *conf;
 
@@ -649,7 +639,6 @@ int fr_tls_cache_disable_cb(SSL *ssl,
                        goto disable;
                }
        }
-#endif
 
        /*
         *      If there's no session resumption, delete the entry
@@ -1065,9 +1054,7 @@ int fr_tls_cache_ctx_init(SSL_CTX *ctx, fr_tls_cache_conf_t const *cache_conf)
                break;
        }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
        SSL_CTX_set_not_resumable_session_callback(ctx, fr_tls_cache_disable_cb);
-#endif
        SSL_CTX_set_quiet_shutdown(ctx, 1);
 
        return 0;
index be02805ba1225d303d12dd09647c7474aa2f2d83..f3a4d2cc51167555a277e0dc8999792fd02e4557 100644 (file)
@@ -42,7 +42,6 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 
 #include "base.h"
 #include "log.h"
-#include "missing.h"
 
 /** Certificate formats
  *
index cf93bf1be95b4e169db3b5e2186b564e7ede0dce..8c9a815c3cdef561ae949c3a9c98988cd66e52fc 100644 (file)
@@ -40,7 +40,6 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 #include <openssl/dh.h>
 
 #include "base.h"
-#include "missing.h"
 #include "log.h"
 
 #ifndef OPENSSL_NO_ECDH
@@ -436,24 +435,12 @@ SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client)
         *      at the cost of the server occasionally
         *      crashing on exit.
         */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       FR_OPENSSL_BIND_OBJ_MEMORY(ctx = SSL_CTX_new(SSLv23_method())); /* which is really "all known SSL / TLS methods".  Idiots. */
-#else
        ctx = SSL_CTX_new(SSLv23_method());
-#endif
        if (!ctx) {
                fr_tls_log_error(NULL, "Failed creating TLS context");
                return NULL;
        }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       /*
-        *      Bind any other memory to the ctx to fix
-        *      leaks on exit.
-        */
-       FR_OPENSSL_BIND_MEMORY_BEGIN(ctx);
-#endif
-
        /*
         *      Save the config on the context so that callbacks which
         *      only get SSL_CTX* e.g. session persistence, can get at it.
@@ -472,9 +459,6 @@ SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client)
                if (!*conf->psk_query) {
                        ERROR("Invalid PSK Configuration: psk_query cannot be empty");
                error:
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-                       FR_OPENSSL_BIND_MEMORY_END;
-#endif
                        SSL_CTX_free(ctx);
                        return NULL;
                }
@@ -861,13 +845,6 @@ post_ca:
         */
        if (conf->dh_file && (ctx_dh_params_load(ctx, UNCONST(char *, conf->dh_file)) < 0)) goto error;
 
-       /*
-        *      We're done configuring the ctx.
-        */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       FR_OPENSSL_BIND_MEMORY_END;
-#endif
-
        /*
         *      Setup session caching
         */
index 1310c25110738c36d674aeefc0a357d550b70358..a04a00d93be8c2aad4aa4be673d642fa3e62a6fb 100644 (file)
@@ -33,7 +33,6 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 #include <freeradius-devel/util/debug.h>
 
 #include "log.h"
-#include "missing.h"
 
 /** Holds the state of a log BIO
  *
diff --git a/src/lib/tls/missing.h b/src/lib/tls/missing.h
deleted file mode 100644 (file)
index 4865020..0000000
+++ /dev/null
@@ -1,84 +0,0 @@
-#pragma once
-/*
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License
- *  along with this program; if not, write to the Free Software
- *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
- */
-#include <openssl/opensslv.h>
-#include <openssl/ssl.h>
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#  define EVP_MD_CTX_new       EVP_MD_CTX_create
-#  define EVP_MD_CTX_free      EVP_MD_CTX_destroy
-#  define EVP_MD_CTX_reset     EVP_MD_CTX_cleanup
-
-static inline HMAC_CTX *HMAC_CTX_new(void)
-{
-       HMAC_CTX *ctx;
-
-       ctx = OPENSSL_malloc(sizeof(*ctx));     /* Between HMAC_ctx_init and HMAC_init everything is zeroed */
-       if (!ctx) return NULL;
-
-       HMAC_CTX_init(ctx);
-       return ctx;
-}
-
-static inline void HMAC_CTX_free(HMAC_CTX *ctx)
-{
-       if (ctx == NULL) return;
-       HMAC_CTX_cleanup(ctx);
-       OPENSSL_free(ctx);
-}
-
-static inline int HMAC_CTX_reset(HMAC_CTX *ctx)
-{
-       if (!ctx) return 0;
-
-       HMAC_CTX_cleanup(ctx);
-
-       return 1;
-}
-
-/*
- *     OpenSSL compatibility, to avoid ifdef's through the rest of the code.
- */
-static inline size_t SSL_get_client_random(const SSL *s, unsigned char *out, size_t outlen)
-{
-       if (!outlen) return sizeof(s->s3->client_random);
-
-       if (outlen > sizeof(s->s3->client_random)) outlen = sizeof(s->s3->client_random);
-
-       memcpy(out, s->s3->client_random, outlen);
-       return outlen;
-}
-
-static inline size_t SSL_get_server_random(const SSL *s, unsigned char *out, size_t outlen)
-{
-       if (!outlen) return sizeof(s->s3->server_random);
-
-       if (outlen > sizeof(s->s3->server_random)) outlen = sizeof(s->s3->server_random);
-
-       memcpy(out, s->s3->server_random, outlen);
-       return outlen;
-}
-
-static inline size_t SSL_SESSION_get_master_key(const SSL_SESSION *s, unsigned char *out, size_t outlen)
-{
-       if (!outlen) return s->master_key_length;
-
-       if (outlen > (size_t)s->master_key_length) outlen = (size_t)s->master_key_length;
-
-       memcpy(out, s->master_key, outlen);
-       return outlen;
-}
-#endif
index 659324db2e5daa19e88b4541fdb40f8360a30fbd..8629be45a8637be94cb475c7436e056eb908d982 100644 (file)
@@ -105,12 +105,7 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c
        char            **identity;
        int             attr_index, loc;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
        STACK_OF(X509_EXTENSION) const *ext_list = NULL;
-#else
-       STACK_OF(X509_EXTENSION) *ext_list = NULL;
-#endif
-
        ASN1_INTEGER    *sn = NULL;
        ASN1_TIME       *asn_time = NULL;
 
@@ -212,23 +207,15 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c
                                switch (name->type) {
 #ifdef GEN_EMAIL
                                case GEN_EMAIL: {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
                                        char const *rfc822Name = (char const *)ASN1_STRING_get0_data(name->d.rfc822Name);
-#else
-                                       char *rfc822Name = (char *)ASN1_STRING_data(name->d.rfc822Name);
-#endif
-
                                        CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_EMAIL, attr_index, rfc822Name);
                                        break;
                                }
 #endif /* GEN_EMAIL */
 #ifdef GEN_DNS
-                               case GEN_DNS: {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+                               case GEN_DNS:
+                               {
                                        char const *dNSName = (char const *)ASN1_STRING_get0_data(name->d.dNSName);
-#else
-                                       char *dNSName = (char *)ASN1_STRING_data(name->d.dNSName);
-#endif
                                        CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_DNS, attr_index, dNSName);
                                        break;
                                }
@@ -261,11 +248,7 @@ int fr_tls_session_pairs_from_x509_cert(fr_pair_list_t *pair_list, TALLOC_CTX *c
         *      Only add extensions for the actual client certificate
         */
        if (attr_index == 0) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
                ext_list = X509_get0_extensions(cert);
-#else
-               ext_list = cert->cert_info->extensions;
-#endif
 
                /*
                 *      Grab the X509 extensions, and create attributes out of them.
index 94256762b96c3af1db7cc7c03b5e3b934411b954..0aab080cecc810f69540594f1c62dfc811db3ab5 100644 (file)
@@ -46,7 +46,6 @@
 #include "attrs.h"
 #include "base.h"
 #include "log.h"
-#include "missing.h"
 
 static char const *tls_version_str[] = {
        [SSL2_VERSION]                          = "SSL 2.0",
@@ -464,7 +463,7 @@ void fr_tls_session_info_cb(SSL const *ssl, int where, int ret)
 
                        RDEBUG3("Handshake state [%.*s] - %s%s", (int)len, abbrv, role, state);
 
-#if defined(OPENSSL_NO_SSL_TRACE) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#ifdef OPENSSL_NO_SSL_TRACE
                        {
                                STACK_OF(SSL_CIPHER) *server_ciphers;
                                STACK_OF(SSL_CIPHER) *client_ciphers;
index bb78944512641bad46157d3b6a497e4363ccd618..1b9c1ac405534fda1e7457491ed15e4d83b5d1f3 100644 (file)
@@ -27,7 +27,6 @@
 #include <freeradius-devel/server/base.h>
 
 #include "base.h"
-#include "missing.h"
 
 /** PKEY types (friendly names)
  *
@@ -84,28 +83,6 @@ int fr_tls_utils_keyblock_size_get(request_t *request, SSL *ssl)
 {
        const EVP_CIPHER *c;
        const EVP_MD *h;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       int md_size;
-
-       if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL || ssl->read_hash == NULL)
-               return -1;
-
-       c = ssl->enc_read_ctx->cipher;
-       h = EVP_MD_CTX_md(ssl->read_hash);
-       if (h)
-               md_size = EVP_MD_size(h);
-       else if (ssl->s3)
-               md_size = ssl->s3->tmp.new_mac_secret_size;
-       else
-               return -1;
-
-       RDEBUG2("OpenSSL: keyblock size: key_len=%d MD_size=%d "
-                  "IV_len=%d", EVP_CIPHER_key_length(c), md_size,
-                  EVP_CIPHER_iv_length(c));
-       return 2 * (EVP_CIPHER_key_length(c) +
-                   md_size +
-                   EVP_CIPHER_iv_length(c));
-#else
        const SSL_CIPHER *ssl_cipher;
        int cipher, digest;
 
@@ -127,7 +104,6 @@ int fr_tls_utils_keyblock_size_get(request_t *request, SSL *ssl)
                   EVP_CIPHER_iv_length(c));
        return 2 * (EVP_CIPHER_key_length(c) + EVP_MD_size(h) +
                    EVP_CIPHER_iv_length(c));
-#endif
 }
 
 /** Convert OpenSSL's ASN1_TIME to an epoch time
index 27dc1d630aa474821900dbc74324287d661f5945..65f56c7a1bb2ed60b45f3b0149a5c5d5c5742a12 100644 (file)
@@ -38,7 +38,6 @@
 
 #include "attrs.h"
 #include "base.h"
-#include "missing.h"
 
 DIAG_OFF(DIAG_UNKNOWN_PRAGMAS)
 DIAG_OFF(used-but-marked-unused)       /* fix spurious warnings for sk macros */
@@ -56,10 +55,6 @@ DIAG_OFF(used-but-marked-unused)     /* fix spurious warnings for sk macros */
  *   3. Verify that the certificate has not been revoked by its issuing Certificate
  *      Authority, by checking with respect to a Certificate Revocation List (CRL).
  *
- *   4. Verify that the credentials presented by the certificate fulfill additional
- *      requirements specific to the application, such as with respect to access control
- *      lists or with respect to OCSP (Online Certificate Status Processing).
- *
  * @note This callback will be called multiple times based on the depth of the root
  *     certificate chain.
  *
@@ -110,12 +105,7 @@ int fr_tls_validate_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
                STACK_OF(X509)  *our_chain = X509_STORE_CTX_get_chain(x509_ctx);
                int             i;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
                RDEBUG3("Certificate chain - %i cert(s) untrusted", X509_STORE_CTX_get_num_untrusted(x509_ctx));
-#else
-               RDEBUG3("Certificate chain");
-#endif
-
                for (i = sk_X509_num(our_chain); i > 0 ; i--) {
                        X509 *this_cert = sk_X509_value(our_chain, i - 1);
 
index ad4a36b6625ce1b072703e7944aec7acd034d3d2..bcda6a07b360cae3e3b275a89da3806bab4ce2d4 100644 (file)
@@ -2553,10 +2553,8 @@ EVP_MD_XLAT(sha2_256, sha256)
 EVP_MD_XLAT(sha2_384, sha384)
 EVP_MD_XLAT(sha2_512, sha512)
 
-#  if OPENSSL_VERSION_NUMBER >= 0x10100000L
 EVP_MD_XLAT(blake2s_256, blake2s256)
 EVP_MD_XLAT(blake2b_512, blake2b512)
-#  endif
 
 #  if OPENSSL_VERSION_NUMBER >= 0x10101000L
 EVP_MD_XLAT(sha3_224, sha3_224)
@@ -3138,10 +3136,8 @@ do { \
        XLAT_REGISTER_MONO("sha2_384", xlat_func_sha2_384, xlat_func_sha_arg);
        XLAT_REGISTER_MONO("sha2_512", xlat_func_sha2_512, xlat_func_sha_arg);
 
-#  if OPENSSL_VERSION_NUMBER >= 0x10100000L
        XLAT_REGISTER_MONO("blake2s_256", xlat_func_blake2s_256, xlat_func_sha_arg);
        XLAT_REGISTER_MONO("blake2b_512", xlat_func_blake2b_512, xlat_func_sha_arg);
-#  endif
 
 #  if OPENSSL_VERSION_NUMBER >= 0x10101000L
        XLAT_REGISTER_MONO("sha3_224", xlat_func_sha3_224, xlat_func_sha_arg);
index 1d5d6e5d57c7cb36fe283fb732c2abf2d9d9572a..fcfc32c7756199f8e0eccdaf9d13fc8ac5c526aa 100644 (file)
@@ -35,7 +35,6 @@ RCSID("$Id$")
 
 #ifdef HAVE_OPENSSL_EVP_H
 #  include <openssl/hmac.h>
-#  include <freeradius-devel/tls/missing.h>
 
 static _Thread_local HMAC_CTX *md5_hmac_ctx;
 
index d5b33ba6ffc83edc80898538188750bfa0c7fd88..a87ec020bcf4f38381bd3531bf64449a4504b21d 100644 (file)
@@ -40,7 +40,6 @@ unsigned int sha1_data_problems = 0;
 
 #ifdef HAVE_OPENSSL_EVP_H
 #  include <openssl/hmac.h>
-#  include <freeradius-devel/tls/missing.h>
 
 static _Thread_local HMAC_CTX *sha1_hmac_ctx;
 
index 2ede6528af46acd63032d1b9b6be4e5c0c5a69a8..7ae2c81f8d8aa3dc65be4188350efefedc684bc0 100644 (file)
@@ -29,12 +29,6 @@ static _Thread_local fr_md4_ctx_t *md4_ctx;
 #  include <openssl/evp.h>
 #  include <openssl/crypto.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#  define EVP_MD_CTX_new EVP_MD_CTX_create
-#  define EVP_MD_CTX_free EVP_MD_CTX_destroy
-#  define EVP_MD_CTX_reset EVP_MD_CTX_cleanup
-#endif
-
 static int have_openssl_md4 = -1;
 
 static void _md4_ctx_openssl_free_on_exit(void *arg)
index 972f5f303a4323f8327174db8e3e96ce5b9223b3..e73ea84b60261abec2a5c7bfcde9374d5ebe03d7 100644 (file)
@@ -40,12 +40,6 @@ static _Thread_local fr_md5_free_list_t * md5_array;
 #  include <openssl/evp.h>
 #  include <openssl/crypto.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#  define EVP_MD_CTX_new EVP_MD_CTX_create
-#  define EVP_MD_CTX_free EVP_MD_CTX_destroy
-#  define EVP_MD_CTX_reset EVP_MD_CTX_cleanup
-#endif
-
 static int have_openssl_md5 = -1;
 
 static void _md5_ctx_openssl_free_on_exit(void *arg)
index 8cbbb5e08451e56a17f0d3b2159d42860be69dfe..8dfc67a4f052481f91b5ef79bf0e167fc2a24ddb 100644 (file)
@@ -27,8 +27,6 @@
  */
 RCSIDH(eap_fast_crypto_h, "$Id$")
 
-#include <freeradius-devel/tls/missing.h>
-
 void T_PRF(unsigned char const *secret, unsigned int secret_len, char const *prf_label, unsigned char const *seed, unsigned int seed_len, unsigned char *out, unsigned int out_len) CC_HINT(nonnull(1,3,6));
 
 int eap_fast_encrypt(uint8_t const *plaintext, size_t plaintext_len,
index 8d4a3060125b6bba63629ef1b2eb2f98e73b7e21..1deac3f50b00360941558f0f7be7a116389b2c29 100644 (file)
@@ -219,16 +219,9 @@ static void eap_fast_session_ticket(fr_tls_session_t *tls_session, const SSL *s,
        *secret_len = SSL_MAX_MASTER_KEY_LENGTH;
 }
 
-// hostap:src/crypto/tls_openssl.c:tls_sess_sec_cb()
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-static int _session_secret(SSL *s, void *secret, int *secret_len,
-                          UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers,
-                          UNUSED SSL_CIPHER **cipher, void *arg)
-#else
 static int _session_secret(SSL *s, void *secret, int *secret_len,
                           UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers,
                           UNUSED SSL_CIPHER const **cipher, void *arg)
-#endif
 {
        // FIXME enforce non-anon cipher
 
index 4ff7bd7d99e79f1e0be68b16f3f00736b30821e0..cdf3e561268fd235ac281dcc916984cb413035ae 100644 (file)
@@ -36,7 +36,6 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 
 #include <freeradius-devel/server/base.h>
 #include <freeradius-devel/tls/base.h>
-#include <freeradius-devel/tls/missing.h>
 #include <freeradius-devel/server/module.h>
 
 #include "eap_pwd.h"
index bc43f82e57e0dd3f0c7d8172f7b2f1e95c08faac..3ea59bbfd09db768e93e8a93fb5c41fda41b2393 100644 (file)
@@ -43,7 +43,6 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 #include "attrs.h"
 #include "base.h"
 #include "log.h"
-#include "missing.h"
 
 /** Rcodes returned by the OCSP check function
  */
@@ -212,9 +211,8 @@ int fr_tls_ocsp_staple_cb(SSL *ssl, void *data)
                goto error;
        }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10102000L
        if (SSL_get0_chain_certs(ssl, &our_chain) == 0) {
-#else
+
        /*
         *      Ignore the return code for older versions of
         *      OpenSSL.
index 9353703568c3ec26c66bcb454d264c415bfa5461..beb605c5057244884f082617e817bb1ec7f16df5 100644 (file)
@@ -29,7 +29,6 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
 #include <freeradius-devel/server/base.h>
 #include <freeradius-devel/server/module.h>
 #include <freeradius-devel/tls/base.h>
-#include <freeradius-devel/tls/missing.h>
 #include <freeradius-devel/util/base16.h>
 
 /*