Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

Steffan Karger Tue, 11 Apr 2017 14:24:04 -0700

Hi,

On 11-04-17 19:31, David Sommerseth wrote:
> As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8.
> This also makes it possible to remove a few workaronds which was
> needed earlier, as well as some left overs from v0.9.6.
> 
> This also makes ./configure really stop running unless a new enough
> OpenSSL library is found.
> 
> Compile tested on RHEL7.3 and RHEL6.7 (mock chroot build), both shipping
> openssl-1.0.1e.
> 
> Signed-off-by: David Sommerseth <dav...@openvpn.net>
> ---
>  configure.ac                                                  |  6 +++---
>  doc/openvpn.8                                                 |  1 -
>  .../keying-material-exporter-demo/keyingmaterialexporter.c    |  3 +--
>  sample/sample-plugins/log/log_v3.c                            |  3 +--
>  src/openvpn/ssl_openssl.c                                     |  3 ---
>  src/openvpn/ssl_openssl.h                                     | 11 
> -----------
>  src/openvpn/ssl_verify_openssl.c                              |  6 ++----
>  7 files changed, 7 insertions(+), 26 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 2406ad8..acea060 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -859,9 +859,9 @@ if test "${enable_crypto}" = "yes" -a 
> "${with_crypto_library}" = "openssl"; then
>               # if the user did not explicitly specify flags, try to 
> autodetect
>               PKG_CHECK_MODULES(
>                       [OPENSSL],
> -                     [libcrypto >= 0.9.8, libssl >= 0.9.8],
> -             [have_openssl="yes"],
> -                     [have_openssl="no"] # Provide if-not-found to prevent 
> erroring out
> +                     [libcrypto >= 1.0.1, libssl >= 1.0.1],
> +                     [have_openssl="yes"],
> +                     [AC_MSG_ERROR([Minimum supported OpenSSL version is 
> 1.0.1])]
>               )
>  
>               OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
> diff --git a/doc/openvpn.8 b/doc/openvpn.8
> index a9f5db7..c3248fd 100644
> --- a/doc/openvpn.8
> +++ b/doc/openvpn.8
> @@ -2773,7 +2773,6 @@ OPENVPN_PLUGIN_TLS_FINAL callback.
>  Note that exporter labels have the potential to collide with existing PRF
>  labels. In order to prevent this, labels MUST begin with "EXPORTER".
>  
> -This option requires OpenSSL 1.0.1 or newer.
>  .\"*********************************************************
>  .SS Server Mode
>  Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode
> diff --git 
> a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
>  
> b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
> index 177977d..a72b374 100644
> --- 
> a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
> +++ 
> b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
> @@ -143,8 +143,7 @@ session_user_set(struct session *sess, X509 *x509)
>          {
>              continue;
>          }
> -        /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this 
> workaround */
> -        unsigned char *buf = (unsigned char *)1;
> +        unsigned char *buf = NULL;
>          if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
>          {
>              continue;
> diff --git a/sample/sample-plugins/log/log_v3.c 
> b/sample/sample-plugins/log/log_v3.c
> index 9037225..d3014f3 100644
> --- a/sample/sample-plugins/log/log_v3.c
> +++ b/sample/sample-plugins/log/log_v3.c
> @@ -197,7 +197,7 @@ x509_print_info(X509 *x509crt)
>      X509_NAME *x509_name;
>      X509_NAME_ENTRY *ent;
>      const char *objbuf;
> -    unsigned char *buf;
> +    unsigned char *buf = NULL;
>  
>      x509_name = X509_get_subject_name(x509crt);
>      n = X509_NAME_entry_count(x509_name);
> @@ -228,7 +228,6 @@ x509_print_info(X509 *x509crt)
>          {
>              continue;
>          }
> -        buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b 
> ASN1_STRING_to_UTF8 requires this workaround */
>          if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
>          {
>              continue;
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index d7cc2ba..645ccf5 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -254,10 +254,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned 
> int ssl_flags)
>              sslopt |= SSL_OP_NO_TLSv1_2;
>          }
>  #endif
> -#ifdef SSL_OP_NO_COMPRESSION
> -        /* Disable compression - flag not available in OpenSSL 0.9.8 */
>          sslopt |= SSL_OP_NO_COMPRESSION;
> -#endif
>          SSL_CTX_set_options(ctx->ctx, sslopt);
>      }
>  
> diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
> index 6ca4cb6..60a1f5e 100644
> --- a/src/openvpn/ssl_openssl.h
> +++ b/src/openvpn/ssl_openssl.h
> @@ -33,17 +33,6 @@
>  #include <openssl/ssl.h>
>  
>  /**
> - * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption",
> - * as this is something we do not want nor need, but could potentially be
> - * used for a future attack.  For compatibility reasons we keep building if 
> the
> - * OpenSSL version is too old (pre-0.9.8f) to support stateless session
> - * resumption (and the accompanying SSL_OP_NO_TICKET flag).
> - */
> -#ifndef SSL_OP_NO_TICKET
> -#define SSL_OP_NO_TICKET 0
> -#endif
> -
> -/**
>   * Structure that wraps the TLS context. Contents differ depending on the
>   * SSL library used.
>   */
> diff --git a/src/openvpn/ssl_verify_openssl.c 
> b/src/openvpn/ssl_verify_openssl.c
> index 5624daa..54eadbd 100644
> --- a/src/openvpn/ssl_verify_openssl.c
> +++ b/src/openvpn/ssl_verify_openssl.c
> @@ -458,8 +458,7 @@ x509_setenv_track(const struct x509_track *xt, struct 
> env_set *es, const int dep
>                          if (ent)
>                          {
>                              ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);
> -                            unsigned char *buf;
> -                            buf = (unsigned char *)1; /* bug in OpenSSL 
> 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
> +                            unsigned char *buf = NULL;
>                              if (ASN1_STRING_to_UTF8(&buf, val) > 0)
>                              {
>                                  do_setenv_x509(es, xt->name, (char *)buf, 
> depth);
> @@ -514,7 +513,7 @@ x509_setenv(struct env_set *es, int cert_depth, 
> openvpn_x509_cert_t *peer_cert)
>      ASN1_STRING *val;
>      X509_NAME_ENTRY *ent;
>      const char *objbuf;
> -    unsigned char *buf;
> +    unsigned char *buf = NULL;
>      char *name_expand;
>      size_t name_expand_size;
>      X509_NAME *x509 = X509_get_subject_name(peer_cert);
> @@ -547,7 +546,6 @@ x509_setenv(struct env_set *es, int cert_depth, 
> openvpn_x509_cert_t *peer_cert)
>          {
>              continue;
>          }
> -        buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b 
> ASN1_STRING_to_UTF8 requires this workaround */
>          if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
>          {
>              continue;
>


For master: ACK.

For release/2.4: I wonder whether we need to keep 0.9.8 support, as
SLES11 still ships with 0.9.8h, and has general support until 31 Mar 2019.

-Steffan

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

Reply via email to