Re: [Openvpn-devel] [PATCH applied] Re: openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
On Fri, Aug 16, 2019 at 12:31 PM Gert Doering wrote: > > Your patch has been applied to the master branch. > > Is this also suitable for release/2.4? "You folks tell me, I do the > cherry-picking" (if it applies) :-) 2.4 is what I did my testing on, so yes. > > I have removed the extra spaces in "# if" constructs, as this is not > something we use elsewhere on nested CPP expressions (it came up in the > discussion, but was still part of this patch). > > Tested lightly with openssl 1.0.2o and 1.1.1. > > commit 8a01147ff77e4ae2e377744b89fbe4b6841b2bb0 (master) > Author: Rosen Penev > Date: Wed Jul 24 17:29:34 2019 +0200 > > openssl: Fix compilation without deprecated OpenSSL 1.1 APIs > > Signed-off-by: Rosen Penev > Signed-off-by: Arne Schwabe > Acked-by: Rosen Penev > Acked-by: Steffan Karger > Message-Id: <20190724152934.9884-1-a...@rfc2549.org> > URL: > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18700.html > Signed-off-by: Gert Doering > > > -- > kind regards, > > Gert Doering > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
On Wed, Jul 24, 2019 at 8:29 AM Arne Schwabe wrote:
>
> From: Rosen Penev
>
> EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were
> replaced with _reset.
>
> EVP_CIPHER_CTX_free in OpenSSL 1.1 replaces the cleanup/free combo of
> earlier OpenSSL version. And OpenSSL 1.0.2 already calls cleanup as part
> of _free.
>
> Therefore we can remove the _cleanup calls and use the OpenSSL 1.1. API
> everywhere.
>
> Also removed initialisation with OpenSSL 1.1 as it is no longer
> needed and causes compilation errors when disabling deprecated APIs.
>
> Same with SSL_CTX_set_ecdh_auto as it got removed.
>
> Patch V3: Use EVP_CIPHER_CTX_reset instead of init/cleanup
>
> Signed-off-by: Rosen Penev
> Signed-off-by: Arne Schwabe
ACK
> ---
> configure.ac | 3 +++
> src/openvpn/crypto.c | 1 -
> src/openvpn/crypto_backend.h | 9 +
> src/openvpn/crypto_mbedtls.c | 7 +--
> src/openvpn/crypto_openssl.c | 8 +---
> src/openvpn/openssl_compat.h | 12
> src/openvpn/ssl_openssl.c| 18 --
> 7 files changed, 30 insertions(+), 28 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 59673e04..b8e2476f 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -918,10 +918,13 @@ if test "${with_crypto_library}" = "openssl"; then
> EVP_MD_CTX_new \
> EVP_MD_CTX_free \
> EVP_MD_CTX_reset \
> + EVP_CIPHER_CTX_reset \
> OpenSSL_version \
> SSL_CTX_get_default_passwd_cb \
> SSL_CTX_get_default_passwd_cb_userdata \
> SSL_CTX_set_security_level \
> + X509_get0_notBefore \
> + X509_get0_notAfter \
> X509_get0_pubkey \
> X509_STORE_get0_objects \
> X509_OBJECT_free \
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 8a92a8c1..585bfbc6 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -906,7 +906,6 @@ free_key_ctx(struct key_ctx *ctx)
> {
> if (ctx->cipher)
> {
> -cipher_ctx_cleanup(ctx->cipher);
> cipher_ctx_free(ctx->cipher);
> ctx->cipher = NULL;
> }
> diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
> index 7e9a4bd2..d119442f 100644
> --- a/src/openvpn/crypto_backend.h
> +++ b/src/openvpn/crypto_backend.h
> @@ -341,7 +341,7 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher);
> cipher_ctx_t *cipher_ctx_new(void);
>
> /**
> - * Free a cipher context
> + * Cleanup and free a cipher context
> *
> * @param ctx Cipher context.
> */
> @@ -360,13 +360,6 @@ void cipher_ctx_free(cipher_ctx_t *ctx);
> void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, int key_len,
> const cipher_kt_t *kt, int enc);
>
> -/**
> - * Cleanup the specified context.
> - *
> - * @param ctx Cipher context to cleanup.
> - */
> -void cipher_ctx_cleanup(cipher_ctx_t *ctx);
> -
> /**
> * Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is
> * used.
> diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
> index 2e931440..f924323d 100644
> --- a/src/openvpn/crypto_mbedtls.c
> +++ b/src/openvpn/crypto_mbedtls.c
> @@ -616,12 +616,6 @@ cipher_ctx_init(mbedtls_cipher_context_t *ctx, const
> uint8_t *key, int key_len,
> ASSERT(ctx->key_bitlen <= key_len*8);
> }
>
> -void
> -cipher_ctx_cleanup(mbedtls_cipher_context_t *ctx)
> -{
> -mbedtls_cipher_free(ctx);
> -}
> -
> int
> cipher_ctx_iv_length(const mbedtls_cipher_context_t *ctx)
> {
> @@ -861,6 +855,7 @@ md_ctx_new(void)
> void
> md_ctx_free(mbedtls_md_context_t *ctx)
> {
> +mbedtls_cipher_free(ctx);
> free(ctx);
> }
>
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index c049e52d..520e40ee 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -772,7 +772,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
> int key_len,
> {
> ASSERT(NULL != kt && NULL != ctx);
>
> -EVP_CIPHER_CTX_init(ctx);
> +EVP_CIPHER_CTX_reset(ctx);
> if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
> {
> crypto_msg(M_FATAL, "EVP cipher init #1");
> @@ -792,12 +792,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
> int key_len,
> ASSERT(EVP_CIPHER_CTX_key_l
[Openvpn-devel] [PATCHv3] openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were
replaced with _reset.
Also removed initialization with OpenSSL 1.1 as it is no longer needed and
causes compilation errors when disabling deprecated APIs.
Signed-off-by: Rosen Penev
---
v2: Squashed previous patches together.
v3: Check for _reset function only.
configure.ac | 3 +++
src/openvpn/crypto_openssl.c | 8
src/openvpn/openssl_compat.h | 8
src/openvpn/ssl_openssl.c| 11 ---
4 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index e9f8a2f9..c7fd7a84 100644
--- a/configure.ac
+++ b/configure.ac
@@ -919,10 +919,13 @@ if test "${with_crypto_library}" = "openssl"; then
EVP_MD_CTX_new \
EVP_MD_CTX_free \
EVP_MD_CTX_reset \
+ EVP_CIPHER_CTX_reset \
OpenSSL_version \
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
SSL_CTX_set_security_level \
+ X509_get0_notBefore \
+ X509_get0_notAfter \
X509_get0_pubkey \
X509_STORE_get0_objects \
X509_OBJECT_free \
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index c049e52d..d8aa4835 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -772,7 +772,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
int key_len,
{
ASSERT(NULL != kt && NULL != ctx);
+#if defined(HAVE_EVP_CIPHER_CTX_RESET)
+EVP_CIPHER_CTX_reset(ctx);
+#else
EVP_CIPHER_CTX_init(ctx);
+#endif
if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
{
crypto_msg(M_FATAL, "EVP cipher init #1");
@@ -795,7 +799,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
int key_len,
void
cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx)
{
+#if defined(HAVE_EVP_CIPHER_CTX_RESET)
+EVP_CIPHER_CTX_reset(ctx);
+#else
EVP_CIPHER_CTX_cleanup(ctx);
+#endif
}
int
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index a4072b9a..788843a2 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -89,6 +89,14 @@ EVP_MD_CTX_new(void)
}
#endif
+#if !defined(HAVE_X509_GET0_NOTBEFORE)
+#define X509_get0_notBefore X509_get_notBefore
+#endif
+
+#if !defined(HAVE_X509_GET0_NOTAFTER)
+#define X509_get0_notAfter X509_get_notAfter
+#endif
+
#if !defined(HAVE_HMAC_CTX_RESET)
/**
* Reset a HMAC context
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8bcebac4..e285bc56 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */
void
tls_init_lib(void)
{
+#if (OPENSSL_VERSION_NUMBER < 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER)
SSL_library_init();
#ifndef ENABLE_SMALL
SSL_load_error_strings();
#endif
OpenSSL_add_all_algorithms();
-
+#endif
mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL,
NULL);
ASSERT(mydata_index >= 0);
}
@@ -89,10 +90,12 @@ tls_init_lib(void)
void
tls_free_lib(void)
{
+#if (OPENSSL_VERSION_NUMBER < 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER)
EVP_cleanup();
#ifndef ENABLE_SMALL
ERR_free_strings();
#endif
+#endif
}
void
@@ -541,7 +544,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
goto cleanup; /* Nothing to check if there is no certificate */
}
-ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
+ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
if (ret == 0)
{
msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
@@ -551,7 +554,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
msg(M_WARN, "WARNING: Your certificate is not yet valid!");
}
-ret = X509_cmp_time(X509_get_notAfter(cert), NULL);
+ret = X509_cmp_time(X509_get0_notAfter(cert), NULL);
if (ret == 0)
{
msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
@@ -634,10 +637,12 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const
char *curve_name
else
{
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if (OPENSSL_VERSION_NUMBER < 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER)
/* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
* loading */
SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
return;
+#endif
#else
/* For older OpenSSL we have to extract the curve from key on our own
*/
EC_KEY *eckey = NULL;
--
2.17.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCHv2] openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
On Fri, Jun 14, 2019 at 3:38 AM Arne Schwabe wrote:
>
> Am 04.04.19 um 00:56 schrieb Rosen Penev:
> > EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were
> > replaced with _reset.
> >
> > Also removed initialization with OpenSSL 1.1 as it is no longer needed and
> > causes compilation errors when disabling deprecated APIs.
> >
> > Same with SSL_CTX_set_ecdh_auto as it got removed.
> >
>
> This gets kind of an ACK but needs some additional changes to be really
> good.
>
>
> >
> > +#if !defined(HAVE_EVP_CIPHER_CTX_INIT)
> > +#define EVP_CIPHER_CTX_init EVP_CIPHER_CTX_reset
> > +#endif
> > +
> > +#if !defined(HAVE_EVP_CIPHER_CTX_CLEANUP)
> > +#define EVP_CIPHER_CTX_cleanup EVP_CIPHER_CTX_reset
> > +#endif
>
> These two keep the older API instead of switching to the new one, from
> OpenSSL.
Yes I know. I feel that it's a cleaner solution as _init and _cleanup
both get defined to _reset.
>
> # if OPENSSL_API_COMPAT < 0x1010L
> # define EVP_CIPHER_CTX_init(c) EVP_CIPHER_CTX_reset(c)
> # define EVP_CIPHER_CTX_cleanup(c) EVP_CIPHER_CTX_reset(c)
> # endif
>
> Since just using only the new API in this case does not really work I
> think in case it would be better to rather always use
> EVP_CIPHER_CTX_reset isntead of init and have ifdefs in the 2-3 places
> where we actually use EVP_CIPHER_CTX_cleanup so we can remove the old
> API when we bump our minimum OpenSSL version (and find this thing easy
> since it is an ifdef depending on the openssl version).
OK. Will change.
>
> > +
> > +#if !defined(HAVE_X509_GET0_NOTBEFORE)
> > +#define X509_get0_notBefore X509_get_notBefore
> > +#endif
> > +
> > +#if !defined(HAVE_X509_GET0_NOTAFTER)
> > +#define X509_get0_notAfter X509_get_notAfter
> > +#endif
> > +
> > #if !defined(HAVE_HMAC_CTX_RESET)
> > /**
> > * Reset a HMAC context
> > diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> > index 8bcebac4..e41cafa5 100644
> > --- a/src/openvpn/ssl_openssl.c
> > +++ b/src/openvpn/ssl_openssl.c
> > @@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */
> > void
> > tls_init_lib(void)
> > {
> > +#if (OPENSSL_VERSION_NUMBER < 0x1010L &&
> > !defined(LIBRESSL_VERSION_NUMBER))
> > SSL_library_init();
> > -#ifndef ENABLE_SMALL
> > +# ifndef ENABLE_SMALL
>
> The space between # and ifndef looks wrong.
Will eliminate. Not sure exactly why I added the space ATM.
>
>
> Arne
>
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Remove wrong poll.h include
musl reports: warning redirecting incorrect #include to Signed-off-by: Rosen Penev --- configure.ac | 2 +- src/openvpn/syshead.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 891799ea..37880d29 100644 --- a/configure.ac +++ b/configure.ac @@ -436,7 +436,7 @@ AC_CHECK_HEADERS([ \ unistd.h signal.h libgen.h stropts.h \ syslog.h pwd.h grp.h \ sys/sockio.h sys/uio.h linux/sockios.h \ - linux/types.h sys/poll.h sys/epoll.h err.h \ + linux/types.h poll.h sys/epoll.h err.h \ ]) SOCKET_INCLUDES=" diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index d2a50341..2b4c49ff 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -179,8 +179,8 @@ #include #endif -#ifdef HAVE_SYS_POLL_H -#include +#ifdef HAVE_POLL_H +#include #endif #ifdef HAVE_SYS_EPOLL_H -- 2.17.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCHv2] openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
EVP_CIPHER_CTX_init and _cleanup were deprecated in 1.1 and both were
replaced with _reset.
Also removed initialization with OpenSSL 1.1 as it is no longer needed and
causes compilation errors when disabling deprecated APIs.
Same with SSL_CTX_set_ecdh_auto as it got removed.
Signed-off-by: Rosen Penev
---
v2: Squashed previous patches together.
configure.ac | 4
src/openvpn/openssl_compat.h | 16
src/openvpn/ssl_openssl.c| 18 --
3 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index dfb268ca..891799ea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -918,10 +918,14 @@ if test "${with_crypto_library}" = "openssl"; then
EVP_MD_CTX_new \
EVP_MD_CTX_free \
EVP_MD_CTX_reset \
+ EVP_CIPHER_CTX_init \
+ EVP_CIPHER_CTX_cleanup \
OpenSSL_version \
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
SSL_CTX_set_security_level \
+ X509_get0_notBefore \
+ X509_get0_notAfter \
X509_get0_pubkey \
X509_STORE_get0_objects \
X509_OBJECT_free \
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index a4072b9a..2453b85e 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -89,6 +89,22 @@ EVP_MD_CTX_new(void)
}
#endif
+#if !defined(HAVE_EVP_CIPHER_CTX_INIT)
+#define EVP_CIPHER_CTX_init EVP_CIPHER_CTX_reset
+#endif
+
+#if !defined(HAVE_EVP_CIPHER_CTX_CLEANUP)
+#define EVP_CIPHER_CTX_cleanup EVP_CIPHER_CTX_reset
+#endif
+
+#if !defined(HAVE_X509_GET0_NOTBEFORE)
+#define X509_get0_notBefore X509_get_notBefore
+#endif
+
+#if !defined(HAVE_X509_GET0_NOTAFTER)
+#define X509_get0_notAfter X509_get_notAfter
+#endif
+
#if !defined(HAVE_HMAC_CTX_RESET)
/**
* Reset a HMAC context
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8bcebac4..e41cafa5 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */
void
tls_init_lib(void)
{
+#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER))
SSL_library_init();
-#ifndef ENABLE_SMALL
+# ifndef ENABLE_SMALL
SSL_load_error_strings();
-#endif
+# endif
OpenSSL_add_all_algorithms();
-
+#endif
mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL,
NULL);
ASSERT(mydata_index >= 0);
}
@@ -89,9 +90,11 @@ tls_init_lib(void)
void
tls_free_lib(void)
{
+#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER))
EVP_cleanup();
-#ifndef ENABLE_SMALL
+# ifndef ENABLE_SMALL
ERR_free_strings();
+# endif
#endif
}
@@ -541,7 +544,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
goto cleanup; /* Nothing to check if there is no certificate */
}
-ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
+ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
if (ret == 0)
{
msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
@@ -551,7 +554,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
msg(M_WARN, "WARNING: Your certificate is not yet valid!");
}
-ret = X509_cmp_time(X509_get_notAfter(cert), NULL);
+ret = X509_cmp_time(X509_get0_notAfter(cert), NULL);
if (ret == 0)
{
msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
@@ -634,10 +637,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const
char *curve_name
else
{
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER))
+
/* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
* loading */
SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
return;
+#endif
#else
/* For older OpenSSL we have to extract the curve from key on our own
*/
EC_KEY *eckey = NULL;
--
2.17.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] openssl: Replace not[Before/After] functions with get0 variants
On Thu, Mar 28, 2019 at 12:51 AM Gert Doering wrote: > > Hi, > > On Wed, Mar 27, 2019 at 02:56:26PM -0700, Rosen Penev wrote: > > Also removed initialization with OpenSSL 1.1 as it is no longer needed and > > causes compilation errors when disabling deprecated APIs. > > > > Same with SSL_CTX_set_ecdh_auto as it got removed. > > The Subject: line is a bit misleading - shouldn't this be more something > like "Avoid calling deprecated-API calls of OpenSSL 1.1" or similar? Yeah. The patch doesn't fully fix it though. I ended up with a somewhat workable solution though. https://github.com/neheb/openvpn/commit/945f190a1bfbde3d6bf11f5b576f5c9e5ec1b0f3 I can squash both of these so that they get the same Subject line. > > (People *do* look at commit logs, and the current subject does not cover > making the SSL_library_init() call conditional, etc.) > > On the patch itself, I have no strong opinion and would welcome a review > from Steffan or Arne :-) - the Subject: line I can fix at commit time. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] openssl: Replace not[Before/After] functions with get0 variants
Also removed initialization with OpenSSL 1.1 as it is no longer needed and
causes compilation errors when disabling deprecated APIs.
Same with SSL_CTX_set_ecdh_auto as it got removed.
Signed-off-by: Rosen Penev
---
configure.ac | 2 ++
src/openvpn/openssl_compat.h | 8
src/openvpn/ssl_openssl.c| 18 --
3 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index dfb268ca..2617f344 100644
--- a/configure.ac
+++ b/configure.ac
@@ -922,6 +922,8 @@ if test "${with_crypto_library}" = "openssl"; then
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
SSL_CTX_set_security_level \
+ X509_get0_notBefore \
+ X509_get0_notAfter \
X509_get0_pubkey \
X509_STORE_get0_objects \
X509_OBJECT_free \
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index a4072b9a..788843a2 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -89,6 +89,14 @@ EVP_MD_CTX_new(void)
}
#endif
+#if !defined(HAVE_X509_GET0_NOTBEFORE)
+#define X509_get0_notBefore X509_get_notBefore
+#endif
+
+#if !defined(HAVE_X509_GET0_NOTAFTER)
+#define X509_get0_notAfter X509_get_notAfter
+#endif
+
#if !defined(HAVE_HMAC_CTX_RESET)
/**
* Reset a HMAC context
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8bcebac4..e41cafa5 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -76,12 +76,13 @@ int mydata_index; /* GLOBAL */
void
tls_init_lib(void)
{
+#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER))
SSL_library_init();
-#ifndef ENABLE_SMALL
+# ifndef ENABLE_SMALL
SSL_load_error_strings();
-#endif
+# endif
OpenSSL_add_all_algorithms();
-
+#endif
mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL,
NULL);
ASSERT(mydata_index >= 0);
}
@@ -89,9 +90,11 @@ tls_init_lib(void)
void
tls_free_lib(void)
{
+#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER))
EVP_cleanup();
-#ifndef ENABLE_SMALL
+# ifndef ENABLE_SMALL
ERR_free_strings();
+# endif
#endif
}
@@ -541,7 +544,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
goto cleanup; /* Nothing to check if there is no certificate */
}
-ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
+ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
if (ret == 0)
{
msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
@@ -551,7 +554,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
msg(M_WARN, "WARNING: Your certificate is not yet valid!");
}
-ret = X509_cmp_time(X509_get_notAfter(cert), NULL);
+ret = X509_cmp_time(X509_get0_notAfter(cert), NULL);
if (ret == 0)
{
msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
@@ -634,10 +637,13 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const
char *curve_name
else
{
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if (OPENSSL_VERSION_NUMBER < 0x1010L && !defined(LIBRESSL_VERSION_NUMBER))
+
/* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
* loading */
SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
return;
+#endif
#else
/* For older OpenSSL we have to extract the curve from key on our own
*/
EC_KEY *eckey = NULL;
--
2.17.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCHv2] openvpn: Add missing OpenSSL includes
These get included when deprecated APIs are enabled. This is true on at least version 1.0.2 and 1.1.0. Without deprecated APIs, OpenVPN fails to compile. Signed-off-by: Rosen Penev --- src/openvpn/ssl_openssl.c| 9 + src/openvpn/ssl_verify_openssl.c | 1 + 2 files changed, 10 insertions(+) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 527a600a..d9aec9bd 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -56,6 +56,15 @@ #include #include #include +#ifndef OPENSSL_NO_DH +#include +#endif +#ifndef OPENSSL_NO_DSA +#include +#endif +#ifndef OPENSSL_NO_RSA +#include +#endif #ifndef OPENSSL_NO_EC #include #endif diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 9b984751..82460ae7 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -46,6 +46,7 @@ #include #include +#include int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) -- 2.17.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] openvpn: Add missing OpenSSL includes
On Thu, Jun 21, 2018 at 6:59 PM Antonio Quartulli wrote: > > Hi, > > On 22/06/18 09:49, Rosen Penev wrote: > > These get included when deprecated APIs are enabled. This is true on at > > least version 1.0.2 and 1.1.0. > > > > Without deprecated APIs, OpenVPN fails to compile. > > > > Signed-off-by: Rosen Penev > > --- > > ...ilation-with-deprecated-APIs-disable.patch | 148 ++ > > Was this patch committed by accident? Yeah it was. will resend. > > Cheers, > > > -- > Antonio Quartulli -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] openvpn: Add missing OpenSSL includes
These get included when deprecated APIs are enabled. This is true on at
least version 1.0.2 and 1.1.0.
Without deprecated APIs, OpenVPN fails to compile.
Signed-off-by: Rosen Penev
---
...ilation-with-deprecated-APIs-disable.patch | 148 ++
src/openvpn/ssl_openssl.c | 9 ++
src/openvpn/ssl_verify_openssl.c | 1 +
3 files changed, 158 insertions(+)
create mode 100644
src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch
diff --git
a/src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch
b/src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch
new file mode 100644
index ..11adff21
--- /dev/null
+++
b/src/openvpn/0001-OpenSSL-Fix-compilation-with-deprecated-APIs-disable.patch
@@ -0,0 +1,148 @@
+From f581a10cbf5b40afbee2d9fc9454ce12e1611668 Mon Sep 17 00:00:00 2001
+From: Rosen Penev
+Date: Tue, 19 Jun 2018 21:44:57 -0700
+Subject: [PATCH] OpenSSL: Fix compilation with deprecated APIs disabled on 1.1
+
+Signed-off-by: Rosen Penev
+---
+ src/openvpn/crypto_openssl.c | 9 +
+ src/openvpn/ssl_openssl.c| 32 +++-
+ src/openvpn/ssl_verify_openssl.c | 1 +
+ 3 files changed, 41 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index 4fb2f6d6..816d8002 100644
+--- a/src/openvpn/crypto_openssl.c
b/src/openvpn/crypto_openssl.c
+@@ -670,11 +670,16 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
int key_len,
+ {
+ ASSERT(NULL != kt && NULL != ctx);
+
++#if OPENSSL_VERSION_NUMBER < 0x1010L
+ EVP_CIPHER_CTX_init(ctx);
++#else
++EVP_CIPHER_CTX_new();
++#endif
+ if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
+ {
+ crypto_msg(M_FATAL, "EVP cipher init #1");
+ }
++
+ #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
+ if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len))
+ {
+@@ -693,7 +698,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
int key_len,
+ void
+ cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x1010L
+ EVP_CIPHER_CTX_cleanup(ctx);
++#else
++EVP_CIPHER_CTX_free(ctx);
++#endif
+ }
+
+ int
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index 527a600a..92ed4926 100644
+--- a/src/openvpn/ssl_openssl.c
b/src/openvpn/ssl_openssl.c
+@@ -56,6 +56,15 @@
+ #include
+ #include
+ #include
++#ifndef OPENSSL_NO_DH
++#include
++#endif
++#ifndef OPENSSL_NO_DSA
++#include
++#endif
++#ifndef OPENSSL_NO_RSA
++#include
++#endif
+ #ifndef OPENSSL_NO_EC
+ #include
+ #endif
+@@ -71,11 +80,19 @@ int mydata_index; /* GLOBAL */
+ void
+ tls_init_lib(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x1010L
+ SSL_library_init();
++OpenSSL_add_all_algorithms();
+ #ifndef ENABLE_SMALL
+ SSL_load_error_strings();
+ #endif
+-OpenSSL_add_all_algorithms();
++#else
++#ifndef ENABLE_SMALL
++OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
++#else
++OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_SSL_STRINGS, NULL);
++#endif
++#endif
+
+ mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL,
NULL);
+ ASSERT(mydata_index >= 0);
+@@ -84,10 +101,12 @@ tls_init_lib(void)
+ void
+ tls_free_lib(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x1010L //this is no-op in future versions
+ EVP_cleanup();
+ #ifndef ENABLE_SMALL
+ ERR_free_strings();
+ #endif
++#endif
+ }
+
+ void
+@@ -473,6 +492,11 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
+ goto cleanup; /* Nothing to check if there is no certificate */
+ }
+
++#if OPENSSL_VERSION_NUMBER >= 0x1010L
++#define X509_get_notBeforeX509_get0_notBefore
++#define X509_get_notAfter X509_get0_notAfter
++#endif
++
+ ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
+ if (ret == 0)
+ {
+@@ -567,7 +591,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const
char *curve_name
+ #if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
+ * loading */
++#if OPENSSL_VERSION_NUMBER < 0x1010L
+ SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
++#endif
+ return;
+ #else
+ /* For older OpenSSL we have to extract the curve from key on our own
*/
+@@ -2037,7 +2063,11 @@ get_highest_preference_tls_cipher(char *buf, int size)
+ const char *
+ get_ssl_library_version(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x1010L
+ return SSLeay_version(SSLEAY_VERSION);
++#else
++return OpenSSL_version(OPENSSL_VERSION);
++#endif
+ }
+
+ #endif /* defined(ENABLE_CRYPTO_OPENSSL) */
+diff --git a/src/openvpn/ssl_verify_openssl.c
b/src/openvpn/ssl_verify_openssl.c
+index 9b984751..82460ae7 100644
+--- a/src/openvpn/ssl_verify_openssl.c
b/src/openvpn/ssl_verify_openssl.c
+@@ -46,6 +46,7 @@
+
+ #inclu
Re: [Openvpn-devel] [PATCH] OpenSSL: Fix compilation with deprecated APIs disabled on 1.1
On Tue, Jun 19, 2018 at 10:00 PM Gert Doering wrote:
>
> Hi,
>
> On Tue, Jun 19, 2018 at 09:46:50PM -0700, Rosen Penev wrote:
> > Signed-off-by: Rosen Penev
> > ---
> > src/openvpn/crypto_openssl.c | 9 +
> > src/openvpn/ssl_openssl.c| 32 +++-
> > src/openvpn/ssl_verify_openssl.c | 1 +
> > 3 files changed, 41 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> > index 4fb2f6d6..816d8002 100644
> > --- a/src/openvpn/crypto_openssl.c
> > +++ b/src/openvpn/crypto_openssl.c
> > @@ -670,11 +670,16 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t
> > *key, int key_len,
> > {
> > ASSERT(NULL != kt && NULL != ctx);
> >
> > +#if OPENSSL_VERSION_NUMBER < 0x1010L
> > EVP_CIPHER_CTX_init(ctx);
> > +#else
> > +EVP_CIPHER_CTX_new();
> > +#endif
>
> Thanks for the patch, but this is not the way we want our source to
> look like. As in: these extra #if will make maintaining the code
> harder and more error-prone.
>
>
> A patch along the lines of the existing openssl 1.1 / 1.0 compat layer
> (the .c files call the 1.1 API and if that API is not available,
> openssl_compat.h provides a substitute function) would be something
> we might look more closely into.
I ran this on a client. Turns out there are more problems than this. I
will submit a partial fix in the meantime.
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
> feed honest figures into a computer, honest figures come out. Never doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh Mistress
>
> Gert Doering - Munich, Germany g...@greenie.muc.de
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] OpenSSL: Fix compilation with deprecated APIs disabled on 1.1
Signed-off-by: Rosen Penev
---
src/openvpn/crypto_openssl.c | 9 +
src/openvpn/ssl_openssl.c| 32 +++-
src/openvpn/ssl_verify_openssl.c | 1 +
3 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 4fb2f6d6..816d8002 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -670,11 +670,16 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
int key_len,
{
ASSERT(NULL != kt && NULL != ctx);
+#if OPENSSL_VERSION_NUMBER < 0x1010L
EVP_CIPHER_CTX_init(ctx);
+#else
+EVP_CIPHER_CTX_new();
+#endif
if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
{
crypto_msg(M_FATAL, "EVP cipher init #1");
}
+
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len))
{
@@ -693,7 +698,11 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key,
int key_len,
void
cipher_ctx_cleanup(EVP_CIPHER_CTX *ctx)
{
+#if OPENSSL_VERSION_NUMBER < 0x1010L
EVP_CIPHER_CTX_cleanup(ctx);
+#else
+EVP_CIPHER_CTX_free(ctx);
+#endif
}
int
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 527a600a..92ed4926 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -56,6 +56,15 @@
#include
#include
#include
+#ifndef OPENSSL_NO_DH
+#include
+#endif
+#ifndef OPENSSL_NO_DSA
+#include
+#endif
+#ifndef OPENSSL_NO_RSA
+#include
+#endif
#ifndef OPENSSL_NO_EC
#include
#endif
@@ -71,11 +80,19 @@ int mydata_index; /* GLOBAL */
void
tls_init_lib(void)
{
+#if OPENSSL_VERSION_NUMBER < 0x1010L
SSL_library_init();
+OpenSSL_add_all_algorithms();
#ifndef ENABLE_SMALL
SSL_load_error_strings();
#endif
-OpenSSL_add_all_algorithms();
+#else
+#ifndef ENABLE_SMALL
+OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
+#else
+OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_SSL_STRINGS, NULL);
+#endif
+#endif
mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL,
NULL);
ASSERT(mydata_index >= 0);
@@ -84,10 +101,12 @@ tls_init_lib(void)
void
tls_free_lib(void)
{
+#if OPENSSL_VERSION_NUMBER < 0x1010L //this is no-op in future versions
EVP_cleanup();
#ifndef ENABLE_SMALL
ERR_free_strings();
#endif
+#endif
}
void
@@ -473,6 +492,11 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
goto cleanup; /* Nothing to check if there is no certificate */
}
+#if OPENSSL_VERSION_NUMBER >= 0x1010L
+#define X509_get_notBeforeX509_get0_notBefore
+#define X509_get_notAfter X509_get0_notAfter
+#endif
+
ret = X509_cmp_time(X509_get_notBefore(cert), NULL);
if (ret == 0)
{
@@ -567,7 +591,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const
char *curve_name
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
/* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
* loading */
+#if OPENSSL_VERSION_NUMBER < 0x1010L
SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
+#endif
return;
#else
/* For older OpenSSL we have to extract the curve from key on our own
*/
@@ -2037,7 +2063,11 @@ get_highest_preference_tls_cipher(char *buf, int size)
const char *
get_ssl_library_version(void)
{
+#if OPENSSL_VERSION_NUMBER < 0x1010L
return SSLeay_version(SSLEAY_VERSION);
+#else
+return OpenSSL_version(OPENSSL_VERSION);
+#endif
}
#endif /* defined(ENABLE_CRYPTO_OPENSSL) */
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 9b984751..82460ae7 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -46,6 +46,7 @@
#include
#include
+#include
int
verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
--
2.17.1
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
