> diff --git a/configure.ac b/configure.ac
> index dfb268ca..2617f344 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -922,6 +922,8 @@ if test "${with_crypto_library}" = "openssl"; then
> SSL_CTX_get_default_passwd_cb \
> SSL_CTX_get_default_passwd_cb_userdata \
> SSL_CTX_set_security_level \
> + X509_get0_notBefore \
> + X509_get0_notAfter \
> X509_get0_pubkey \
> X509_STORE_get0_objects \
> X509_OBJECT_free \
> diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
> index a4072b9a..788843a2 100644
> --- a/src/openvpn/openssl_compat.h
> +++ b/src/openvpn/openssl_compat.h
> @@ -89,6 +89,14 @@ EVP_MD_CTX_new(void)
> }
> #endif
>
> +#if !defined(HAVE_X509_GET0_NOTBEFORE)
> +#define X509_get0_notBefore X509_get_notBefore
> +#endif
> +
> +#if !defined(HAVE_X509_GET0_NOTAFTER)
> +#define X509_get0_notAfter X509_get_notAfter
> +#endif
> +
This is fine.
> #if !defined(HAVE_HMAC_CTX_RESET)
> /**
> * Reset a HMAC context
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index 8bcebac4..e41cafa5 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */
> void
> tls_init_lib(void)
> {
> +#if (OPENSSL_VERSION_NUMBER < 0x10100000L &&
> !defined(LIBRESSL_VERSION_NUMBER))
> SSL_library_init();
> -#ifndef ENABLE_SMALL
> +# ifndef ENABLE_SMALL
> SSL_load_error_strings();
> -#endif
> +# endif
> OpenSSL_add_all_algorithms();
> -
> +#endif
Please add a comment like
/* On OpenSSL 1.1.0 or above, then the library will initialize itself
automatically. */
Otherwise people will be very confused why this code is that way.
> mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL,
> NULL);
> ASSERT(mydata_index >= 0);
> }
> @@ -89,9 +90,11 @@ tls_init_lib(void)
> void
> tls_free_lib(void)
> {
> +#if (OPENSSL_VERSION_NUMBER < 0x10100000L &&
> !defined(LIBRESSL_VERSION_NUMBER))
> EVP_cleanup();
> -#ifndef ENABLE_SMALL
> +# ifndef ENABLE_SMALL
> ERR_free_strings();
> +# endif
> #endif
> }
Same as above.
>
> @@ -541,7 +544,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
> goto cleanup; /* Nothing to check if there is no certificate */
> }
>
> - ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
> + ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
> if (ret == 0)
> {
> msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
> @@ -551,7 +554,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
> msg(M_WARN, "WARNING: Your certificate is not yet valid!");
> }
>
> - ret = X509_cmp_time(X509_get_notAfter(cert), NULL);
> + ret = X509_cmp_time(X509_get0_notAfter(cert), NULL);
> if (ret == 0)
> {
> msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
> @@ -634,10 +637,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx,
> const char *curve_name
> else
> {
> #if OPENSSL_VERSION_NUMBER >= 0x10002000L
> +#if (OPENSSL_VERSION_NUMBER < 0x10100000L &&
> !defined(LIBRESSL_VERSION_NUMBER))
> +
> /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
> * loading */
> SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
> return;
> +#endif
> #else
> /* For older OpenSSL we have to extract the curve from key on our
> own */
> EC_KEY *eckey = NULL;
>
In general it be better split this patch into two: renaming the get/set
methods and removing the initialisation from OpenSSL >=1.1.0
Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
