Re: [Openvpn-devel] [PATCH applied] Re: openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
On Fri, Aug 16, 2019 at 12:31 PM Gert Doering wrote: > > Your patch has been applied to the master branch. > > Is this also suitable for release/2.4? "You folks tell me, I do the > cherry-picking" (if it applies) :-) 2.4 is what I did my testing on, so yes. > > I have removed the extra spaces in "# if" constructs, as this is not > something we use elsewhere on nested CPP expressions (it came up in the > discussion, but was still part of this patch). > > Tested lightly with openssl 1.0.2o and 1.1.1. > > commit 8a01147ff77e4ae2e377744b89fbe4b6841b2bb0 (master) > Author: Rosen Penev > Date: Wed Jul 24 17:29:34 2019 +0200 > > openssl: Fix compilation without deprecated OpenSSL 1.1 APIs > > Signed-off-by: Rosen Penev > Signed-off-by: Arne Schwabe > Acked-by: Rosen Penev > Acked-by: Steffan Karger > Message-Id: <20190724152934.9884-1-a...@rfc2549.org> > URL: > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18700.html > Signed-off-by: Gert Doering > > > -- > kind regards, > > Gert Doering > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
On Wed, Jul 24, 2019 at 8:29 AM Arne Schwabe wrote: > > From: Rosen Penev > > EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were > replaced with _reset. > > EVP_CIPHER_CTX_free in OpenSSL 1.1 replaces the cleanup/free combo of > earlier OpenSSL version. And OpenSSL 1.0.2 already calls cleanup as part > of _free. > > Therefore we can remove the _cleanup calls and use the OpenSSL 1.1. API > everywhere. > > Also removed initialisation with OpenSSL 1.1 as it is no longer > needed and causes compilation errors when disabling deprecated APIs. > > Same with SSL_CTX_set_ecdh_auto as it got removed. > > Patch V3: Use EVP_CIPHER_CTX_reset instead of init/cleanup > > Signed-off-by: Rosen Penev > Signed-off-by: Arne Schwabe ACK > --- > configure.ac | 3 +++ > src/openvpn/crypto.c | 1 - > src/openvpn/crypto_backend.h | 9 + > src/openvpn/crypto_mbedtls.c | 7 +-- > src/openvpn/crypto_openssl.c | 8 +--- > src/openvpn/openssl_compat.h | 12 > src/openvpn/ssl_openssl.c| 18 -- > 7 files changed, 30 insertions(+), 28 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 59673e04..b8e2476f 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -918,10 +918,13 @@ if test "${with_crypto_library}" = "openssl"; then > EVP_MD_CTX_new \ > EVP_MD_CTX_free \ > EVP_MD_CTX_reset \ > + EVP_CIPHER_CTX_reset \ > OpenSSL_version \ > SSL_CTX_get_default_passwd_cb \ > SSL_CTX_get_default_passwd_cb_userdata \ > SSL_CTX_set_security_level \ > + X509_get0_notBefore \ > + X509_get0_notAfter \ > X509_get0_pubkey \ > X509_STORE_get0_objects \ > X509_OBJECT_free \ > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index 8a92a8c1..585bfbc6 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -906,7 +906,6 @@ free_key_ctx(struct key_ctx *ctx) > { > if (ctx->cipher) > { > -cipher_ctx_cleanup(ctx->cipher); > cipher_ctx_free(ctx->cipher); > ctx->cipher = NULL; > } > diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h > index 7e9a4bd2..d119442f 100644 > --- a/src/openvpn/crypto_backend.h > +++ b/src/openvpn/crypto_backend.h > @@ -341,7 +341,7 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher); > cipher_ctx_t *cipher_ctx_new(void); > > /** > - * Free a cipher context > + * Cleanup and free a cipher context > * > * @param ctx Cipher context. > */ > @@ -360,13 +360,6 @@ void cipher_ctx_free(cipher_ctx_t *ctx); > void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, int key_len, > const cipher_kt_t *kt, int enc); > > -/** > - * Cleanup the specified context. > - * > - * @param ctx Cipher context to cleanup. > - */ > -void cipher_ctx_cleanup(cipher_ctx_t *ctx); > - > /** > * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is > * used. > diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c > index 2e931440..f924323d 100644 > --- a/src/openvpn/crypto_mbedtls.c > +++ b/src/openvpn/crypto_mbedtls.c > @@ -616,12 +616,6 @@ cipher_ctx_init(mbedtls_cipher_context_t *ctx, const > uint8_t *key, int key_len, > ASSERT(ctx->key_bitlen <= key_len*8); > } > > -void > -cipher_ctx_cleanup(mbedtls_cipher_context_t *ctx) > -{ > -mbedtls_cipher_free(ctx); > -} > - > int > cipher_ctx_iv_length(const mbedtls_cipher_context_t *ctx) > { > @@ -861,6 +855,7 @@ md_ctx_new(void) > void > md_ctx_free(mbedtls_md_context_t *ctx) > { > +mbedtls_cipher_free(ctx); > free(ctx); > } > > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > index c049e52d..520e40ee 100644 > --- a/src/openvpn/crypto_openssl.c > +++ b/src/openvpn/crypto_openssl.c > @@ -772,7 +772,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, > int key_len, > { > ASSERT(NULL != kt && NULL != ctx); > > -EVP_CIPHER_CTX_init(ctx); > +EVP_CIPHER_CTX_reset(ctx); > if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) > { > crypto_msg(M_FATAL, "EVP cipher init #1"); > @@ -792,12 +792,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, > int key_len, > ASSERT(EVP_CIPHER_CTX_key_l
[Openvpn-devel] [PATCHv3] openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were replaced with _reset. Also removed initialization with OpenSSL 1.1 as it is no longer needed and causes compilation errors when disabling deprecated APIs. Signed-off-by: Rosen Penev --- v2: Squashed previous patches together. v3: Check for _reset function only. configure.ac | 3 +++ src/openvpn/crypto_openssl.c | 8 src/openvpn/openssl_compat.h | 8 src/openvpn/ssl_openssl.c| 11 --- 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index e9f8a2f9..c7fd7a84 100644 --- a/configure.ac +++ b/configure.ac @@ -919,10 +919,13 @@ if test "${with_crypto_library}" = "openssl"; then EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ + EVP_CIPHER_CTX_reset \ OpenSSL_version \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ SSL_CTX_set_security_level \ + X509_get0_notBefore \ + X509_get0_notAfter \ X509_get0_pubkey \ X509_STORE_get0_objects \ X509_OBJECT_free \ diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index c049e52d..d8aa4835 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -772,7 +772,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); +#if defined(HAVE_EVP_CIPHER_CTX_RESET) +EVP_CIPHER_CTX_reset(ctx); +#else EVP_CIPHER_CTX_init(ctx); +#endif if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #1"); @@ -795,7 +799,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, void cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx) { +#if defined(HAVE_EVP_CIPHER_CTX_RESET) +EVP_CIPHER_CTX_reset(ctx); +#else EVP_CIPHER_CTX_cleanup(ctx); +#endif } int diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index a4072b9a..788843a2 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -89,6 +89,14 @@ EVP_MD_CTX_new(void) } #endif +#if !defined(HAVE_X509_GET0_NOTBEFORE) +#define X509_get0_notBefore X509_get_notBefore +#endif + +#if !defined(HAVE_X509_GET0_NOTAFTER) +#define X509_get0_notAfter X509_get_notAfter +#endif + #if !defined(HAVE_HMAC_CTX_RESET) /** * Reset a HMAC context diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 8bcebac4..e285bc56 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */ void tls_init_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) SSL_library_init(); #ifndef ENABLE_SMALL SSL_load_error_strings(); #endif OpenSSL_add_all_algorithms(); - +#endif mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); ASSERT(mydata_index >= 0); } @@ -89,10 +90,12 @@ tls_init_lib(void) void tls_free_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) EVP_cleanup(); #ifndef ENABLE_SMALL ERR_free_strings(); #endif +#endif } void @@ -541,7 +544,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) goto cleanup; /* Nothing to check if there is no certificate */ } -ret = X509_cmp_time(X509_get_notBefore(cert), NULL); +ret = X509_cmp_time(X509_get0_notBefore(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); @@ -551,7 +554,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) msg(M_WARN, "WARNING: Your certificate is not yet valid!"); } -ret = X509_cmp_time(X509_get_notAfter(cert), NULL); +ret = X509_cmp_time(X509_get0_notAfter(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); @@ -634,10 +637,12 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name else { #if OPENSSL_VERSION_NUMBER >= 0x10002000L +#if (OPENSSL_VERSION_NUMBER < 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter * loading */ SSL_CTX_set_ecdh_auto(ctx->ctx, 1); return; +#endif #else /* For older OpenSSL we have to extract the curve from key on our own */ EC_KEY *eckey = NULL; -- 2.17.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCHv2] openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
On Fri, Jun 14, 2019 at 3:38 AM Arne Schwabe wrote: > > Am 04.04.19 um 00:56 schrieb Rosen Penev: > > EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were > > replaced with _reset. > > > > Also removed initialization with OpenSSL 1.1 as it is no longer needed and > > causes compilation errors when disabling deprecated APIs. > > > > Same with SSL_CTX_set_ecdh_auto as it got removed. > > > > This gets kind of an ACK but needs some additional changes to be really > good. > > > > > > +#if !defined(HAVE_EVP_CIPHER_CTX_INIT) > > +#define EVP_CIPHER_CTX_init EVP_CIPHER_CTX_reset > > +#endif > > + > > +#if !defined(HAVE_EVP_CIPHER_CTX_CLEANUP) > > +#define EVP_CIPHER_CTX_cleanup EVP_CIPHER_CTX_reset > > +#endif > > These two keep the older API instead of switching to the new one, from > OpenSSL. Yes I know. I feel that it's a cleaner solution as _init and _cleanup both get defined to _reset. > > # if OPENSSL_API_COMPAT < 0x1010L > # define EVP_CIPHER_CTX_init(c) EVP_CIPHER_CTX_reset(c) > # define EVP_CIPHER_CTX_cleanup(c) EVP_CIPHER_CTX_reset(c) > # endif > > Since just using only the new API in this case does not really work I > think in case it would be better to rather always use > EVP_CIPHER_CTX_reset isntead of init and have ifdefs in the 2-3 places > where we actually use EVP_CIPHER_CTX_cleanup so we can remove the old > API when we bump our minimum OpenSSL version (and find this thing easy > since it is an ifdef depending on the openssl version). OK. Will change. > > > + > > +#if !defined(HAVE_X509_GET0_NOTBEFORE) > > +#define X509_get0_notBefore X509_get_notBefore > > +#endif > > + > > +#if !defined(HAVE_X509_GET0_NOTAFTER) > > +#define X509_get0_notAfter X509_get_notAfter > > +#endif > > + > > #if !defined(HAVE_HMAC_CTX_RESET) > > /** > > * Reset a HMAC context > > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c > > index 8bcebac4..e41cafa5 100644 > > --- a/src/openvpn/ssl_openssl.c > > +++ b/src/openvpn/ssl_openssl.c > > @@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */ > > void > > tls_init_lib(void) > > { > > +#if (OPENSSL_VERSION_NUMBER < 0x1010L && > > !defined(LIBRESSL_VERSION_NUMBER)) > > SSL_library_init(); > > -#ifndef ENABLE_SMALL > > +# ifndef ENABLE_SMALL > > The space between # and ifndef looks wrong. Will eliminate. Not sure exactly why I added the space ATM. > > > Arne > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Remove wrong poll.h include
musl reports: warning redirecting incorrect #include to Signed-off-by: Rosen Penev --- configure.ac | 2 +- src/openvpn/syshead.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 891799ea..37880d29 100644 --- a/configure.ac +++ b/configure.ac @@ -436,7 +436,7 @@ AC_CHECK_HEADERS([ \ unistd.h signal.h libgen.h stropts.h \ syslog.h pwd.h grp.h \ sys/sockio.h sys/uio.h linux/sockios.h \ - linux/types.h sys/poll.h sys/epoll.h err.h \ + linux/types.h poll.h sys/epoll.h err.h \ ]) SOCKET_INCLUDES=" diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index d2a50341..2b4c49ff 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -179,8 +179,8 @@ #include #endif -#ifdef HAVE_SYS_POLL_H -#include +#ifdef HAVE_POLL_H +#include #endif #ifdef HAVE_SYS_EPOLL_H -- 2.17.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCHv2] openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were replaced with _reset. Also removed initialization with OpenSSL 1.1 as it is no longer needed and causes compilation errors when disabling deprecated APIs. Same with SSL_CTX_set_ecdh_auto as it got removed. Signed-off-by: Rosen Penev --- v2: Squashed previous patches together. configure.ac | 4 src/openvpn/openssl_compat.h | 16 src/openvpn/ssl_openssl.c| 18 -- 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index dfb268ca..891799ea 100644 --- a/configure.ac +++ b/configure.ac @@ -918,10 +918,14 @@ if test "${with_crypto_library}" = "openssl"; then EVP_MD_CTX_new \ EVP_MD_CTX_free \ EVP_MD_CTX_reset \ + EVP_CIPHER_CTX_init \ + EVP_CIPHER_CTX_cleanup \ OpenSSL_version \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ SSL_CTX_set_security_level \ + X509_get0_notBefore \ + X509_get0_notAfter \ X509_get0_pubkey \ X509_STORE_get0_objects \ X509_OBJECT_free \ diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index a4072b9a..2453b85e 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -89,6 +89,22 @@ EVP_MD_CTX_new(void) } #endif +#if !defined(HAVE_EVP_CIPHER_CTX_INIT) +#define EVP_CIPHER_CTX_init EVP_CIPHER_CTX_reset +#endif + +#if !defined(HAVE_EVP_CIPHER_CTX_CLEANUP) +#define EVP_CIPHER_CTX_cleanup EVP_CIPHER_CTX_reset +#endif + +#if !defined(HAVE_X509_GET0_NOTBEFORE) +#define X509_get0_notBefore X509_get_notBefore +#endif + +#if !defined(HAVE_X509_GET0_NOTAFTER) +#define X509_get0_notAfter X509_get_notAfter +#endif + #if !defined(HAVE_HMAC_CTX_RESET) /** * Reset a HMAC context diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 8bcebac4..e41cafa5 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */ void tls_init_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)) SSL_library_init(); -#ifndef ENABLE_SMALL +# ifndef ENABLE_SMALL SSL_load_error_strings(); -#endif +# endif OpenSSL_add_all_algorithms(); - +#endif mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); ASSERT(mydata_index >= 0); } @@ -89,9 +90,11 @@ tls_init_lib(void) void tls_free_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)) EVP_cleanup(); -#ifndef ENABLE_SMALL +# ifndef ENABLE_SMALL ERR_free_strings(); +# endif #endif } @@ -541,7 +544,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) goto cleanup; /* Nothing to check if there is no certificate */ } -ret = X509_cmp_time(X509_get_notBefore(cert), NULL); +ret = X509_cmp_time(X509_get0_notBefore(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); @@ -551,7 +554,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) msg(M_WARN, "WARNING: Your certificate is not yet valid!"); } -ret = X509_cmp_time(X509_get_notAfter(cert), NULL); +ret = X509_cmp_time(X509_get0_notAfter(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); @@ -634,10 +637,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name else { #if OPENSSL_VERSION_NUMBER >= 0x10002000L +#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)) + /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter * loading */ SSL_CTX_set_ecdh_auto(ctx->ctx, 1); return; +#endif #else /* For older OpenSSL we have to extract the curve from key on our own */ EC_KEY *eckey = NULL; -- 2.17.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] openssl: Replace not[Before/After] functions with get0 variants
On Thu, Mar 28, 2019 at 12:51 AM Gert Doering wrote: > > Hi, > > On Wed, Mar 27, 2019 at 02:56:26PM -0700, Rosen Penev wrote: > > Also removed initialization with OpenSSL 1.1 as it is no longer needed and > > causes compilation errors when disabling deprecated APIs. > > > > Same with SSL_CTX_set_ecdh_auto as it got removed. > > The Subject: line is a bit misleading - shouldn't this be more something > like "Avoid calling deprecated-API calls of OpenSSL 1.1" or similar? Yeah. The patch doesn't fully fix it though. I ended up with a somewhat workable solution though. https://github.com/neheb/openvpn/commit/945f190a1bfbde3d6bf11f5b576f5c9e5ec1b0f3 I can squash both of these so that they get the same Subject line. > > (People *do* look at commit logs, and the current subject does not cover > making the SSL_library_init() call conditional, etc.) > > On the patch itself, I have no strong opinion and would welcome a review > from Steffan or Arne :-) - the Subject: line I can fix at commit time. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] openssl: Replace not[Before/After] functions with get0 variants
Also removed initialization with OpenSSL 1.1 as it is no longer needed and causes compilation errors when disabling deprecated APIs. Same with SSL_CTX_set_ecdh_auto as it got removed. Signed-off-by: Rosen Penev --- configure.ac | 2 ++ src/openvpn/openssl_compat.h | 8 src/openvpn/ssl_openssl.c| 18 -- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index dfb268ca..2617f344 100644 --- a/configure.ac +++ b/configure.ac @@ -922,6 +922,8 @@ if test "${with_crypto_library}" = "openssl"; then SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ SSL_CTX_set_security_level \ + X509_get0_notBefore \ + X509_get0_notAfter \ X509_get0_pubkey \ X509_STORE_get0_objects \ X509_OBJECT_free \ diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index a4072b9a..788843a2 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -89,6 +89,14 @@ EVP_MD_CTX_new(void) } #endif +#if !defined(HAVE_X509_GET0_NOTBEFORE) +#define X509_get0_notBefore X509_get_notBefore +#endif + +#if !defined(HAVE_X509_GET0_NOTAFTER) +#define X509_get0_notAfter X509_get_notAfter +#endif + #if !defined(HAVE_HMAC_CTX_RESET) /** * Reset a HMAC context diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 8bcebac4..e41cafa5 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */ void tls_init_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)) SSL_library_init(); -#ifndef ENABLE_SMALL +# ifndef ENABLE_SMALL SSL_load_error_strings(); -#endif +# endif OpenSSL_add_all_algorithms(); - +#endif mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); ASSERT(mydata_index >= 0); } @@ -89,9 +90,11 @@ tls_init_lib(void) void tls_free_lib(void) { +#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)) EVP_cleanup(); -#ifndef ENABLE_SMALL +# ifndef ENABLE_SMALL ERR_free_strings(); +# endif #endif } @@ -541,7 +544,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) goto cleanup; /* Nothing to check if there is no certificate */ } -ret = X509_cmp_time(X509_get_notBefore(cert), NULL); +ret = X509_cmp_time(X509_get0_notBefore(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); @@ -551,7 +554,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) msg(M_WARN, "WARNING: Your certificate is not yet valid!"); } -ret = X509_cmp_time(X509_get_notAfter(cert), NULL); +ret = X509_cmp_time(X509_get0_notAfter(cert), NULL); if (ret == 0) { msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); @@ -634,10 +637,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name else { #if OPENSSL_VERSION_NUMBER >= 0x10002000L +#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER)) + /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter * loading */ SSL_CTX_set_ecdh_auto(ctx->ctx, 1); return; +#endif #else /* For older OpenSSL we have to extract the curve from key on our own */ EC_KEY *eckey = NULL; -- 2.17.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCHv2] openvpn: Add missing OpenSSL includes
These get included when deprecated APIs are enabled. This is true on at least version 1.0.2 and 1.1.0. Without deprecated APIs, OpenVPN fails to compile. Signed-off-by: Rosen Penev --- src/openvpn/ssl_openssl.c| 9 + src/openvpn/ssl_verify_openssl.c | 1 + 2 files changed, 10 insertions(+) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 527a600a..d9aec9bd 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -56,6 +56,15 @@ #include #include #include +#ifndef OPENSSL_NO_DH +#include +#endif +#ifndef OPENSSL_NO_DSA +#include +#endif +#ifndef OPENSSL_NO_RSA +#include +#endif #ifndef OPENSSL_NO_EC #include #endif diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 9b984751..82460ae7 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -46,6 +46,7 @@ #include #include +#include int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) -- 2.17.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] openvpn: Add missing OpenSSL includes
On Thu, Jun 21, 2018 at 6:59 PM Antonio Quartulli wrote: > > Hi, > > On 22/06/18 09:49, Rosen Penev wrote: > > These get included when deprecated APIs are enabled. This is true on at > > least version 1.0.2 and 1.1.0. > > > > Without deprecated APIs, OpenVPN fails to compile. > > > > Signed-off-by: Rosen Penev > > --- > > ...ilation-with-deprecated-APIs-disable.patch | 148 ++ > > Was this patch committed by accident? Yeah it was. will resend. > > Cheers, > > > -- > Antonio Quartulli -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] openvpn: Add missing OpenSSL includes
These get included when deprecated APIs are enabled. This is true on at least version 1.0.2 and 1.1.0. Without deprecated APIs, OpenVPN fails to compile. Signed-off-by: Rosen Penev --- ...ilation-with-deprecated-APIs-disable.patch | 148 ++ src/openvpn/ssl_openssl.c | 9 ++ src/openvpn/ssl_verify_openssl.c | 1 + 3 files changed, 158 insertions(+) create mode 100644 src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch diff --git a/src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch b/src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch new file mode 100644 index ..11adff21 --- /dev/null +++ b/src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch @@ -0,0 +1,148 @@ +From f581a10cbf5b40afbee2d9fc9454ce12e1611668 Mon Sep 17 00:00:00 2001 +From: Rosen Penev +Date: Tue, 19 Jun 2018 21:44:57 -0700 +Subject: [PATCH] OpenSSL: Fix compilation with deprecated APIs disabled on 1.1 + +Signed-off-by: Rosen Penev +--- + src/openvpn/crypto_openssl.c | 9 + + src/openvpn/ssl_openssl.c| 32 +++- + src/openvpn/ssl_verify_openssl.c | 1 + + 3 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c +index 4fb2f6d6..816d8002 100644 +--- a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c +@@ -670,11 +670,16 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, + { + ASSERT(NULL != kt && NULL != ctx); + ++#if OPENSSL_VERSION_NUMBER < 0x1010L + EVP_CIPHER_CTX_init(ctx); ++#else ++EVP_CIPHER_CTX_new(); ++#endif + if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) + { + crypto_msg(M_FATAL, "EVP cipher init #1"); + } ++ + #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH + if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len)) + { +@@ -693,7 +698,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, + void + cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx) + { ++#if OPENSSL_VERSION_NUMBER < 0x1010L + EVP_CIPHER_CTX_cleanup(ctx); ++#else ++EVP_CIPHER_CTX_free(ctx); ++#endif + } + + int +diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c +index 527a600a..92ed4926 100644 +--- a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c +@@ -56,6 +56,15 @@ + #include + #include + #include ++#ifndef OPENSSL_NO_DH ++#include ++#endif ++#ifndef OPENSSL_NO_DSA ++#include ++#endif ++#ifndef OPENSSL_NO_RSA ++#include ++#endif + #ifndef OPENSSL_NO_EC + #include + #endif +@@ -71,11 +80,19 @@ int mydata_index; /* GLOBAL */ + void + tls_init_lib(void) + { ++#if OPENSSL_VERSION_NUMBER < 0x1010L + SSL_library_init(); ++OpenSSL_add_all_algorithms(); + #ifndef ENABLE_SMALL + SSL_load_error_strings(); + #endif +-OpenSSL_add_all_algorithms(); ++#else ++#ifndef ENABLE_SMALL ++OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); ++#else ++OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_SSL_STRINGS, NULL); ++#endif ++#endif + + mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); + ASSERT(mydata_index >= 0); +@@ -84,10 +101,12 @@ tls_init_lib(void) + void + tls_free_lib(void) + { ++#if OPENSSL_VERSION_NUMBER < 0x1010L //this is no-op in future versions + EVP_cleanup(); + #ifndef ENABLE_SMALL + ERR_free_strings(); + #endif ++#endif + } + + void +@@ -473,6 +492,11 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) + goto cleanup; /* Nothing to check if there is no certificate */ + } + ++#if OPENSSL_VERSION_NUMBER >= 0x1010L ++#define X509_get_notBeforeX509_get0_notBefore ++#define X509_get_notAfter X509_get0_notAfter ++#endif ++ + ret = X509_cmp_time(X509_get_notBefore(cert), NULL); + if (ret == 0) + { +@@ -567,7 +591,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name + #if OPENSSL_VERSION_NUMBER >= 0x10002000L + /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter + * loading */ ++#if OPENSSL_VERSION_NUMBER < 0x1010L + SSL_CTX_set_ecdh_auto(ctx->ctx, 1); ++#endif + return; + #else + /* For older OpenSSL we have to extract the curve from key on our own */ +@@ -2037,7 +2063,11 @@ get_highest_preference_tls_cipher(char *buf, int size) + const char * + get_ssl_library_version(void) + { ++#if OPENSSL_VERSION_NUMBER < 0x1010L + return SSLeay_version(SSLEAY_VERSION); ++#else ++return OpenSSL_version(OPENSSL_VERSION); ++#endif + } + + #endif /* defined(ENABLE_CRYPTO_OPENSSL) */ +diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c +index 9b984751..82460ae7 100644 +--- a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c +@@ -46,6 +46,7 @@ + + #inclu
Re: [Openvpn-devel] [PATCH] OpenSSL: Fix compilation with deprecated APIs disabled on 1.1
On Tue, Jun 19, 2018 at 10:00 PM Gert Doering wrote: > > Hi, > > On Tue, Jun 19, 2018 at 09:46:50PM -0700, Rosen Penev wrote: > > Signed-off-by: Rosen Penev > > --- > > src/openvpn/crypto_openssl.c | 9 + > > src/openvpn/ssl_openssl.c| 32 +++- > > src/openvpn/ssl_verify_openssl.c | 1 + > > 3 files changed, 41 insertions(+), 1 deletion(-) > > > > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > > index 4fb2f6d6..816d8002 100644 > > --- a/src/openvpn/crypto_openssl.c > > +++ b/src/openvpn/crypto_openssl.c > > @@ -670,11 +670,16 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t > > *key, int key_len, > > { > > ASSERT(NULL != kt && NULL != ctx); > > > > +#if OPENSSL_VERSION_NUMBER < 0x1010L > > EVP_CIPHER_CTX_init(ctx); > > +#else > > +EVP_CIPHER_CTX_new(); > > +#endif > > Thanks for the patch, but this is not the way we want our source to > look like. As in: these extra #if will make maintaining the code > harder and more error-prone. > > > A patch along the lines of the existing openssl 1.1 / 1.0 compat layer > (the .c files call the 1.1 API and if that API is not available, > openssl_compat.h provides a substitute function) would be something > we might look more closely into. I ran this on a client. Turns out there are more problems than this. I will submit a partial fix in the meantime. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] OpenSSL: Fix compilation with deprecated APIs disabled on 1.1
Signed-off-by: Rosen Penev --- src/openvpn/crypto_openssl.c | 9 + src/openvpn/ssl_openssl.c| 32 +++- src/openvpn/ssl_verify_openssl.c | 1 + 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 4fb2f6d6..816d8002 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -670,11 +670,16 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); +#if OPENSSL_VERSION_NUMBER < 0x1010L EVP_CIPHER_CTX_init(ctx); +#else +EVP_CIPHER_CTX_new(); +#endif if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #1"); } + #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len)) { @@ -693,7 +698,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, void cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx) { +#if OPENSSL_VERSION_NUMBER < 0x1010L EVP_CIPHER_CTX_cleanup(ctx); +#else +EVP_CIPHER_CTX_free(ctx); +#endif } int diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 527a600a..92ed4926 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -56,6 +56,15 @@ #include #include #include +#ifndef OPENSSL_NO_DH +#include +#endif +#ifndef OPENSSL_NO_DSA +#include +#endif +#ifndef OPENSSL_NO_RSA +#include +#endif #ifndef OPENSSL_NO_EC #include #endif @@ -71,11 +80,19 @@ int mydata_index; /* GLOBAL */ void tls_init_lib(void) { +#if OPENSSL_VERSION_NUMBER < 0x1010L SSL_library_init(); +OpenSSL_add_all_algorithms(); #ifndef ENABLE_SMALL SSL_load_error_strings(); #endif -OpenSSL_add_all_algorithms(); +#else +#ifndef ENABLE_SMALL +OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); +#else +OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_SSL_STRINGS, NULL); +#endif +#endif mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); ASSERT(mydata_index >= 0); @@ -84,10 +101,12 @@ tls_init_lib(void) void tls_free_lib(void) { +#if OPENSSL_VERSION_NUMBER < 0x1010L //this is no-op in future versions EVP_cleanup(); #ifndef ENABLE_SMALL ERR_free_strings(); #endif +#endif } void @@ -473,6 +492,11 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) goto cleanup; /* Nothing to check if there is no certificate */ } +#if OPENSSL_VERSION_NUMBER >= 0x1010L +#define X509_get_notBeforeX509_get0_notBefore +#define X509_get_notAfter X509_get0_notAfter +#endif + ret = X509_cmp_time(X509_get_notBefore(cert), NULL); if (ret == 0) { @@ -567,7 +591,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name #if OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter * loading */ +#if OPENSSL_VERSION_NUMBER < 0x1010L SSL_CTX_set_ecdh_auto(ctx->ctx, 1); +#endif return; #else /* For older OpenSSL we have to extract the curve from key on our own */ @@ -2037,7 +2063,11 @@ get_highest_preference_tls_cipher(char *buf, int size) const char * get_ssl_library_version(void) { +#if OPENSSL_VERSION_NUMBER < 0x1010L return SSLeay_version(SSLEAY_VERSION); +#else +return OpenSSL_version(OPENSSL_VERSION); +#endif } #endif /* defined(ENABLE_CRYPTO_OPENSSL) */ diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 9b984751..82460ae7 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -46,6 +46,7 @@ #include #include +#include int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) -- 2.17.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel