From: Viktor Szakats Date: Mon, 27 Jan 2025 19:35:23 +0000 (+0100) Subject: openssl: drop support for old OpenSSL/LibreSSL versions X-Git-Tag: curl-8_13_0~403 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2cc90a679aae5342dd9bfdf451d4b98ec64f7374;p=thirdparty%2Fcurl.git openssl: drop support for old OpenSSL/LibreSSL versions Require OpenSSL 1.0.2a (2015-03-19) or LibreSSL 2.9.1 (2019-04-13). Closes #16104 --- diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md index 620839dafe..bc795aed71 100644 --- a/docs/INTERNALS.md +++ b/docs/INTERNALS.md @@ -24,7 +24,8 @@ versions of libs and build tools. We aim to support these or later versions. - - OpenSSL 0.9.7 + - OpenSSL 1.0.2a + - LibreSSL 2.9.1 - GnuTLS 3.1.10 - zlib 1.2.0.4 - libssh2 1.2.8 diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index c6c5a24b0b..e5ee341628 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -71,16 +71,7 @@ # include # include # include -# if (defined(OPENSSL_VERSION_NUMBER) && \ - (OPENSSL_VERSION_NUMBER < 0x00907001L)) && !defined(USE_WOLFSSL) -# define DES_key_schedule des_key_schedule -# define DES_cblock des_cblock -# define DES_set_odd_parity des_set_odd_parity -# define DES_set_key des_set_key -# define DES_ecb_encrypt des_ecb_encrypt -# define DESKEY(x) x -# define DESKEYARG(x) x -# elif defined(OPENSSL_IS_AWSLC) +# if defined(OPENSSL_IS_AWSLC) # define DES_set_key_unchecked (void)DES_set_key # define DESKEYARG(x) *x # define DESKEY(x) &x diff --git a/lib/setup-vms.h b/lib/setup-vms.h index 59b69b6806..d74f4ad630 100644 --- a/lib/setup-vms.h +++ b/lib/setup-vms.h @@ -394,51 +394,11 @@ static struct passwd *vms_getpwuid(uid_t uid) /* that way a newer port will also work if some one has one */ #ifdef __VAX -# if (OPENSSL_VERSION_NUMBER < 0x00907001L) -# define des_set_odd_parity DES_SET_ODD_PARITY -# define des_set_key DES_SET_KEY -# define des_ecb_encrypt DES_ECB_ENCRYPT - -# endif # include # ifndef OpenSSL_add_all_algorithms # define OpenSSL_add_all_algorithms OPENSSL_ADD_ALL_ALGORITHMS void OPENSSL_ADD_ALL_ALGORITHMS(void); # endif - - /* Curl defines these to lower case and VAX needs them in upper case */ - /* So we need static routines */ -# if (OPENSSL_VERSION_NUMBER < 0x00907001L) - -# undef des_set_odd_parity -# undef DES_set_odd_parity -# undef des_set_key -# undef DES_set_key -# undef des_ecb_encrypt -# undef DES_ecb_encrypt - - static void des_set_odd_parity(des_cblock *key) { - DES_SET_ODD_PARITY(key); - } - - static int des_set_key(const_des_cblock *key, - des_key_schedule schedule) { - return DES_SET_KEY(key, schedule); - } - - static void des_ecb_encrypt(const_des_cblock *input, - des_cblock *output, - des_key_schedule ks, int enc) { - DES_ECB_ENCRYPT(input, output, ks, enc); - } -#endif -/* Need this to stop a macro redefinition error */ -#if OPENSSL_VERSION_NUMBER < 0x00907000L -# ifdef X509_STORE_set_flags -# undef X509_STORE_set_flags -# define X509_STORE_set_flags(x,y) Curl_nop_stmt -# endif -#endif #endif #endif /* HEADER_CURL_SETUP_VMS_H */ diff --git a/lib/sha256.c b/lib/sha256.c index 4af858eb70..f271fb0ef6 100644 --- a/lib/sha256.c +++ b/lib/sha256.c @@ -32,41 +32,16 @@ #include "curl_sha256.h" #include "curl_hmac.h" -#ifdef USE_WOLFSSL -#include -#endif - -#if defined(USE_OPENSSL) - -#include - -#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) -#define USE_OPENSSL_SHA256 -#endif - -#endif /* USE_OPENSSL */ - -#ifdef USE_MBEDTLS +#ifdef USE_OPENSSL +#include +#elif defined(USE_GNUTLS) +#include +#elif defined(USE_MBEDTLS) #include - #if(MBEDTLS_VERSION_NUMBER >= 0x02070000) && \ (MBEDTLS_VERSION_NUMBER < 0x03000000) #define HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS #endif -#endif /* USE_MBEDTLS */ - -#if defined(USE_OPENSSL_SHA256) - -/* When OpenSSL or wolfSSL is available we use their SHA256-functions. */ -#if defined(USE_OPENSSL) -#include -#elif defined(USE_WOLFSSL) -#include -#endif - -#elif defined(USE_GNUTLS) -#include -#elif defined(USE_MBEDTLS) #include #elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \ (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \ @@ -95,7 +70,7 @@ * file even if multiple backends are enabled at the same time. */ -#if defined(USE_OPENSSL_SHA256) +#ifdef USE_OPENSSL struct ossl_sha256_ctx { EVP_MD_CTX *openssl_ctx; @@ -533,5 +508,4 @@ const struct HMAC_params Curl_HMAC_SHA256 = { 32 /* Result size. */ }; - #endif /* AWS, DIGEST, or libssh2 */ diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 3eddbfa7e4..4a6a93170f 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -34,7 +34,7 @@ #include /* Wincrypt must be included before anything that could include OpenSSL. */ -#if defined(USE_WIN32_CRYPTO) +#ifdef USE_WIN32_CRYPTO #include /* Undefine wincrypt conflicting symbols for BoringSSL. */ #undef X509_NAME @@ -83,7 +83,7 @@ #include #include -#if defined(HAVE_SSL_SET1_ECH_CONFIG_LIST) +#ifdef HAVE_SSL_SET1_ECH_CONFIG_LIST #define USE_ECH_OPENSSL #endif @@ -93,17 +93,25 @@ # endif #endif /* USE_ECH_OPENSSL */ -#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP) +#ifndef OPENSSL_NO_OCSP #include #endif -#if (OPENSSL_VERSION_NUMBER >= 0x0090700fL) && /* 0.9.7 or later */ \ - !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_UI_CONSOLE) +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_UI_CONSOLE) #define USE_OPENSSL_ENGINE #include #endif -#if OPENSSL_VERSION_NUMBER >= 0x03000000fL && !defined(OPENSSL_NO_UI_CONSOLE) +#ifdef LIBRESSL_VERSION_NUMBER +# /* As of LibreSSL 2.0.0-4.0.0: OPENSSL_VERSION_NUMBER == 0x20000000L */ +# if LIBRESSL_VERSION_NUMBER < 0x2090100fL /* 2019-04-13 */ +# error "LibreSSL 2.9.1 or later required" +# endif +#elif OPENSSL_VERSION_NUMBER < 0x1000201fL /* 2015-03-19 */ +# error "OpenSSL 1.0.2a or later required" +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x3000000fL && !defined(OPENSSL_NO_UI_CONSOLE) #include #include /* this is used in the following conditions to make them easier to read */ @@ -131,20 +139,7 @@ #include #endif -#if OPENSSL_VERSION_NUMBER >= 0x00909000L -#define SSL_METHOD_QUAL const -#else -#define SSL_METHOD_QUAL -#endif - -#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) -#define HAVE_ERR_REMOVE_THREAD_STATE 1 -#endif - -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \ - !(defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER < 0x20700000L) -#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER +#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* OpenSSL 1.1.0+ and LibreSSL */ #define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */ #define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */ #define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */ @@ -157,16 +152,8 @@ #define X509_get0_notBefore(x) X509_get_notBefore(x) #define X509_get0_notAfter(x) X509_get_notAfter(x) #define CONST_EXTS /* nope */ -#ifndef LIBRESSL_VERSION_NUMBER #define OpenSSL_version_num() SSLeay() #endif -#endif - -#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \ - !(defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER < 0x20700000L) -#define HAVE_X509_GET0_SIGNATURE 1 -#endif #if OPENSSL_VERSION_NUMBER >= 0x10002003L && \ OPENSSL_VERSION_NUMBER <= 0x10002FFFL && \ @@ -174,11 +161,6 @@ #define HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 1 #endif -#if (OPENSSL_VERSION_NUMBER < 0x0090808fL) -/* not present in older OpenSSL */ -#define OPENSSL_load_builtin_modules(x) -#endif - #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) #define HAVE_EVP_PKEY_GET_PARAMS 1 #endif @@ -203,35 +185,21 @@ LIBRESSL_VERSION_NUMBER >= 0x3040100fL)) && \ !defined(OPENSSL_IS_BORINGSSL) #define HAVE_SSL_CTX_SET_CIPHERSUITES - #if !defined(OPENSSL_IS_AWSLC) + #ifndef OPENSSL_IS_AWSLC #define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH #endif #endif -/* - * Whether SSL_CTX_set1_curves_list is available. - * OpenSSL: supported since 1.0.2, see - * https://docs.openssl.org/master/man3/SSL_CTX_set1_curves/ - * BoringSSL: supported since 5fd1807d95f7 (committed 2016-09-30) - * LibreSSL: since 2.5.3 (April 12, 2017) - */ -#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) || \ - defined(OPENSSL_IS_BORINGSSL) -#define HAVE_SSL_CTX_SET_EC_CURVES -#endif - -#if defined(LIBRESSL_VERSION_NUMBER) +#ifdef LIBRESSL_VERSION_NUMBER #define OSSL_PACKAGE "LibreSSL" #elif defined(OPENSSL_IS_BORINGSSL) #define OSSL_PACKAGE "BoringSSL" #elif defined(OPENSSL_IS_AWSLC) #define OSSL_PACKAGE "AWS-LC" +#elif (defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || defined(USE_MSH3) +#define OSSL_PACKAGE "quictls" #else -# if (defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || defined(USE_MSH3) -# define OSSL_PACKAGE "quictls" -# else -# define OSSL_PACKAGE "OpenSSL" -#endif +#define OSSL_PACKAGE "OpenSSL" #endif #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) @@ -265,8 +233,6 @@ typedef int numcert_t; #endif #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ - !(defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER < 0x2070100fL) && \ !defined(OPENSSL_IS_BORINGSSL) && \ !defined(OPENSSL_IS_AWSLC) #define HAVE_OPENSSL_VERSION @@ -287,13 +253,6 @@ typedef unsigned long sslerr_t; #define HAVE_SSL_X509_STORE_SHARE #endif -/* What API version do we use? */ -#if defined(LIBRESSL_VERSION_NUMBER) -#define USE_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f) -#else /* !LIBRESSL_VERSION_NUMBER */ -#define USE_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) -#endif /* !LIBRESSL_VERSION_NUMBER */ - static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl); static CURLcode push_certinfo(struct Curl_easy *data, @@ -449,7 +408,7 @@ static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl) if(result) break; -#if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS) +#ifdef HAVE_X509_GET0_EXTENSIONS { const X509_ALGOR *sigalg = NULL; X509_PUBKEY *xpubkey = NULL; @@ -666,21 +625,19 @@ static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl) #ifdef USE_OPENSSL -#if USE_PRE_1_1_API -#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define BIO_set_init(x,v) ((x)->init=(v)) #define BIO_get_data(x) ((x)->ptr) #define BIO_set_data(x,v) ((x)->ptr=(v)) -#endif #define BIO_get_shutdown(x) ((x)->shutdown) #define BIO_set_shutdown(x,v) ((x)->shutdown=(v)) -#endif /* USE_PRE_1_1_API */ +#endif /* HAVE_PRE_1_1_API */ static int ossl_bio_cf_create(BIO *bio) { BIO_set_shutdown(bio, 1); BIO_set_init(bio, 1); -#if USE_PRE_1_1_API +#if OPENSSL_VERSION_NUMBER < 0x10100000L bio->num = -1; #endif BIO_set_data(bio, NULL); @@ -797,7 +754,7 @@ static int ossl_bio_cf_in_read(BIO *bio, char *buf, int blen) return (int)nread; } -#if USE_PRE_1_1_API +#if OPENSSL_VERSION_NUMBER < 0x10100000L static BIO_METHOD ossl_bio_cf_meth_1_0 = { BIO_TYPE_MEM, @@ -866,9 +823,7 @@ ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done) if(!session || *keylog_done) return; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - !(defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER < 0x20700000L) +#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* ssl->s3 is not checked in OpenSSL 1.1.0-pre6, but let's assume that * we have a valid SSL context if we have a non-NULL session. */ SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE); @@ -915,15 +870,15 @@ static const char *SSL_ERROR_to_str(int err) return "SSL_ERROR_WANT_CONNECT"; case SSL_ERROR_WANT_ACCEPT: return "SSL_ERROR_WANT_ACCEPT"; -#if defined(SSL_ERROR_WANT_ASYNC) +#ifdef SSL_ERROR_WANT_ASYNC case SSL_ERROR_WANT_ASYNC: return "SSL_ERROR_WANT_ASYNC"; #endif -#if defined(SSL_ERROR_WANT_ASYNC_JOB) +#ifdef SSL_ERROR_WANT_ASYNC_JOB case SSL_ERROR_WANT_ASYNC_JOB: return "SSL_ERROR_WANT_ASYNC_JOB"; #endif -#if defined(SSL_ERROR_WANT_EARLY) +#ifdef SSL_ERROR_WANT_EARLY case SSL_ERROR_WANT_EARLY: return "SSL_ERROR_WANT_EARLY"; #endif @@ -1207,10 +1162,6 @@ static int use_certificate_chain_blob(SSL_CTX *ctx, const struct curl_blob *blob, const char *key_passwd) { -/* SSL_CTX_add1_chain_cert introduced in OpenSSL 1.0.2 */ -#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* OpenSSL 1.0.2 or later */ \ - !(defined(LIBRESSL_VERSION_NUMBER) && \ - (LIBRESSL_VERSION_NUMBER < 0x2090100fL)) /* LibreSSL 2.9.1 or later */ int ret = 0; X509 *x = NULL; void *passwd_callback_userdata = (void *)key_passwd; @@ -1262,12 +1213,6 @@ end: X509_free(x); BIO_free(in); return ret; -#else - (void)ctx; /* unused */ - (void)blob; /* unused */ - (void)key_passwd; /* unused */ - return 0; -#endif } static @@ -1844,8 +1789,7 @@ static CURLcode x509_name_oneline(X509_NAME *a, struct dynbuf *d) */ static int ossl_init(void) { -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ - (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL) +#if OPENSSL_VERSION_NUMBER >= 0x10100000L const uint64_t flags = #ifdef OPENSSL_INIT_ENGINE_ALL_BUILTIN /* not present in BoringSSL */ @@ -1895,8 +1839,7 @@ static int ossl_init(void) /* Global cleanup */ static void ossl_cleanup(void) { -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ - (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL) +#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* OpenSSL 1.1 deprecates all these cleanup functions and turns them into no-ops in OpenSSL 1.0 compatibility mode */ #else @@ -1912,11 +1855,7 @@ static void ossl_cleanup(void) ERR_free_strings(); /* Free thread local error state, destroying hash upon zero refcount */ -#ifdef HAVE_ERR_REMOVE_THREAD_STATE ERR_remove_thread_state(NULL); -#else - ERR_remove_state(0); -#endif /* Free all memory allocated by all configuration modules */ CONF_modules_free(); @@ -1934,18 +1873,7 @@ static void ossl_cleanup(void) static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine) { #ifdef USE_OPENSSL_ENGINE - ENGINE *e; - -#if OPENSSL_VERSION_NUMBER >= 0x00909000L - e = ENGINE_by_id(engine); -#else - /* avoid memory leak */ - for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) { - const char *e_id = ENGINE_get_id(e); - if(!strcmp(engine, e_id)) - break; - } -#endif + ENGINE *e = ENGINE_by_id(engine); if(!e) { failf(data, "SSL Engine '%s' not found", engine); @@ -2204,8 +2132,7 @@ static void ossl_close_all(struct Curl_easy *data) #else (void)data; #endif -#if !defined(HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED) && \ - defined(HAVE_ERR_REMOVE_THREAD_STATE) +#ifndef HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED /* OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread so we need to clean it here in case the thread will be killed. All OpenSSL code should extract the error in association with the error so clearing @@ -2463,14 +2390,13 @@ static CURLcode ossl_verifyhost(struct Curl_easy *data, return result; } -#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ - !defined(OPENSSL_NO_OCSP) +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP) static CURLcode verifystatus(struct Curl_cfilter *cf, struct Curl_easy *data, struct ossl_ctx *octx) { int i, ocsp_status; -#if defined(OPENSSL_IS_AWSLC) +#ifdef OPENSSL_IS_AWSLC const uint8_t *status; #else unsigned char *status; @@ -2529,34 +2455,6 @@ static CURLcode verifystatus(struct Curl_cfilter *cf, } st = SSL_CTX_get_cert_store(octx->ssl_ctx); -#if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \ - (defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER <= 0x2040200fL)) - /* The authorized responder cert in the OCSP response MUST be signed by the - peer cert's issuer (see RFC6960 section 4.2.2.2). If that is a root cert, - no problem, but if it is an intermediate cert OpenSSL has a bug where it - expects this issuer to be present in the chain embedded in the OCSP - response. So we add it if necessary. */ - - /* First make sure the peer cert chain includes both a peer and an issuer, - and the OCSP response contains a responder cert. */ - if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) { - X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1); - - /* Find issuer of responder cert and add it to the OCSP response chain */ - for(i = 0; i < sk_X509_num(ch); i++) { - X509 *issuer = sk_X509_value(ch, i); - if(X509_check_issued(issuer, responder) == X509_V_OK) { - if(!OCSP_basic_add1_cert(br, issuer)) { - failf(data, "Could not add issuer cert to OCSP response"); - result = CURLE_SSL_INVALIDCERTSTATUS; - goto end; - } - } - } - } -#endif - if(OCSP_basic_verify(br, ch, st, 0) <= 0) { failf(data, "OCSP response verification failed"); result = CURLE_SSL_INVALIDCERTSTATUS; @@ -2856,9 +2754,8 @@ static void ossl_trace(int direction, int ssl_ver, int content_type, #ifdef USE_OPENSSL /* ====================================================== */ -/* Check for OpenSSL 1.0.2 which has ALPN support. */ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L \ - && !defined(OPENSSL_NO_TLSEXT) +/* Check for ALPN support. */ +#ifndef OPENSSL_NO_TLSEXT # define HAS_ALPN_OPENSSL #endif @@ -2991,20 +2888,10 @@ ossl_set_ssl_version_min_max_legacy(ctx_option_t *ctx_options, #endif FALLTHROUGH(); case CURL_SSLVERSION_TLSv1_2: -#if OPENSSL_VERSION_NUMBER >= 0x1000100FL *ctx_options |= SSL_OP_NO_TLSv1_1; -#else - failf(data, OSSL_PACKAGE " was built without TLS 1.2 support"); - return CURLE_NOT_BUILT_IN; -#endif FALLTHROUGH(); case CURL_SSLVERSION_TLSv1_1: -#if OPENSSL_VERSION_NUMBER >= 0x1000100FL *ctx_options |= SSL_OP_NO_TLSv1; -#else - failf(data, OSSL_PACKAGE " was built without TLS 1.1 support"); - return CURLE_NOT_BUILT_IN; -#endif FALLTHROUGH(); case CURL_SSLVERSION_TLSv1_0: case CURL_SSLVERSION_TLSv1: @@ -3013,14 +2900,10 @@ ossl_set_ssl_version_min_max_legacy(ctx_option_t *ctx_options, switch(ssl_version_max) { case CURL_SSLVERSION_MAX_TLSv1_0: -#if OPENSSL_VERSION_NUMBER >= 0x1000100FL *ctx_options |= SSL_OP_NO_TLSv1_1; -#endif FALLTHROUGH(); case CURL_SSLVERSION_MAX_TLSv1_1: -#if OPENSSL_VERSION_NUMBER >= 0x1000100FL *ctx_options |= SSL_OP_NO_TLSv1_2; -#endif FALLTHROUGH(); case CURL_SSLVERSION_MAX_TLSv1_2: #ifdef TLS1_3_VERSION @@ -3165,7 +3048,7 @@ static CURLcode load_cacert_from_memory(X509_STORE *store, return (count > 0) ? CURLE_OK : CURLE_SSL_CACERT_BADFILE; } -#if defined(USE_WIN32_CRYPTO) +#ifdef USE_WIN32_CRYPTO static CURLcode import_windows_cert_store(struct Curl_easy *data, const char *name, X509_STORE *store, @@ -3333,7 +3216,7 @@ static CURLcode ossl_populate_x509_store(struct Curl_cfilter *cf, return CURLE_OUT_OF_MEMORY; if(verifypeer) { -#if defined(USE_WIN32_CRYPTO) +#ifdef USE_WIN32_CRYPTO /* Import certificates from the Windows root certificate store if requested. https://stackoverflow.com/questions/9507184/ @@ -3451,7 +3334,7 @@ static CURLcode ossl_populate_x509_store(struct Curl_cfilter *cf, https://web.archive.org/web/20190422050538/ rt.openssl.org/Ticket/Display.html?id=3621 */ -#if defined(X509_V_FLAG_TRUSTED_FIRST) +#ifdef X509_V_FLAG_TRUSTED_FIRST X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST); #endif #ifdef X509_V_FLAG_PARTIAL_CHAIN @@ -3472,7 +3355,7 @@ static CURLcode ossl_populate_x509_store(struct Curl_cfilter *cf, return result; } -#if defined(HAVE_SSL_X509_STORE_SHARE) +#ifdef HAVE_SSL_X509_STORE_SHARE /* key to use at `multi->proto_hash` */ #define MPROTO_OSSL_X509_KEY "tls:ossl:x509:share" @@ -3652,7 +3535,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, { CURLcode result = CURLE_OK; const char *ciphers; - SSL_METHOD_QUAL SSL_METHOD *req_method = NULL; + const SSL_METHOD *req_method = NULL; ctx_option_t ctx_options = 0; struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); @@ -3891,7 +3774,6 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, SSL_CTX_set_post_handshake_auth(octx->ssl_ctx, 1); #endif -#ifdef HAVE_SSL_CTX_SET_EC_CURVES { const char *curves = conn_config->curves; if(curves) { @@ -3901,7 +3783,6 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, } } } -#endif #ifdef USE_OPENSSL_SRP if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) { @@ -3985,8 +3866,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, SSL_set_app_data(octx->ssl, ssl_user_data); -#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ - !defined(OPENSSL_NO_OCSP) +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP) if(conn_config->verifystatus) SSL_set_tlsext_status_type(octx->ssl, TLSEXT_STATUSTYPE_ocsp); #endif @@ -4388,7 +4268,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, else failf(data, "%s", "SSL certificate verification failed"); } -#if defined(SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED) +#ifdef SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */ else if((lib == ERR_LIB_SSL) && @@ -4857,8 +4737,7 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf, } infof_certstack(data, octx->ssl); -#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ - !defined(OPENSSL_NO_OCSP) +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP) if(conn_config->verifystatus && !octx->reused_session) { /* do not do this after Session ID reuse */ result = verifystatus(cf, data, octx); @@ -5254,7 +5133,6 @@ static CURLcode ossl_get_channel_binding(struct Curl_easy *data, int sockindex, size_t Curl_ossl_version(char *buffer, size_t size) { #ifdef LIBRESSL_VERSION_NUMBER -#ifdef HAVE_OPENSSL_VERSION char *p; size_t count; const char *ver = OpenSSL_version(OPENSSL_VERSION); @@ -5268,13 +5146,6 @@ size_t Curl_ossl_version(char *buffer, size_t size) *p = '_'; } return count; -#else - return msnprintf(buffer, size, "%s/%lx.%lx.%lx", - OSSL_PACKAGE, - (LIBRESSL_VERSION_NUMBER >> 28) & 0xf, - (LIBRESSL_VERSION_NUMBER >> 20) & 0xff, - (LIBRESSL_VERSION_NUMBER >> 12) & 0xff); -#endif #elif defined(OPENSSL_IS_BORINGSSL) #ifdef CURL_BORINGSSL_VERSION return msnprintf(buffer, size, "%s/%s", @@ -5298,25 +5169,19 @@ size_t Curl_ossl_version(char *buffer, size_t size) sub[2]='\0'; sub[1]='\0'; ssleay_value = OpenSSL_version_num(); - if(ssleay_value < 0x906000) { - ssleay_value = SSLEAY_VERSION_NUMBER; - sub[0]='\0'; - } - else { - if(ssleay_value&0xff0) { - int minor_ver = (ssleay_value >> 4) & 0xff; - if(minor_ver > 26) { - /* handle extended version introduced for 0.9.8za */ - sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1); - sub[0] = 'z'; - } - else { - sub[0] = (char) (minor_ver + 'a' - 1); - } + if(ssleay_value&0xff0) { + int minor_ver = (ssleay_value >> 4) & 0xff; + if(minor_ver > 26) { + /* handle extended version introduced for 0.9.8za */ + sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1); + sub[0] = 'z'; + } + else { + sub[0] = (char) (minor_ver + 'a' - 1); } - else - sub[0]='\0'; } + else + sub[0]='\0'; return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s" #ifdef OPENSSL_FIPS @@ -5349,7 +5214,7 @@ static CURLcode ossl_random(struct Curl_easy *data, return rc == 1 ? CURLE_OK : CURLE_FAILED_INIT; } -#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) +#ifndef OPENSSL_NO_SHA256 static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */ size_t tmplen, unsigned char *sha256sum /* output */, @@ -5375,8 +5240,7 @@ static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */ static bool ossl_cert_status_request(void) { -#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ - !defined(OPENSSL_NO_OCSP) +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP) return TRUE; #else return FALSE; @@ -5429,7 +5293,7 @@ const struct Curl_ssl Curl_ssl_openssl = { ossl_set_engine_default, /* set_engine_default */ ossl_engines_list, /* engines_list */ NULL, /* false_start */ -#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) +#ifndef OPENSSL_NO_SHA256 ossl_sha256sum, /* sha256sum */ #else NULL, /* sha256sum */