diff options
| author | Steffan Karger <steffan@karger.me> | 2014-03-23 14:53:01 +0100 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2014-03-23 22:03:08 +0100 |
| commit | 69a6b0c388fe1f463ab59cc8e414a4c5c635ab79 (patch) | |
| tree | b5d5a9253e7a5dd276ae955bce6a570ebc628244 | |
| parent | 05660e788a10ea28f886360ce7a0c100577f5813 (diff) | |
| download | openvpn-69a6b0c388fe1f463ab59cc8e414a4c5c635ab79.tar.gz openvpn-69a6b0c388fe1f463ab59cc8e414a4c5c635ab79.tar.xz openvpn-69a6b0c388fe1f463ab59cc8e414a4c5c635ab79.zip | |
Bump minimum OpenSSL version to 0.9.8
OpenSSL 0.9.7 and older are considered obsolete (see
http://www.openssl.org/news/news.html). This patch updates configure.ac to
require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are
now no longer needed.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8392
Signed-off-by: Gert Doering <gert@greenie.muc.de>
| -rw-r--r-- | configure.ac | 4 | ||||
| -rw-r--r-- | src/openvpn/crypto_openssl.c | 27 | ||||
| -rw-r--r-- | src/openvpn/options.c | 9 | ||||
| -rw-r--r-- | src/openvpn/ssl_openssl.c | 4 | ||||
| -rw-r--r-- | src/openvpn/ssl_verify.c | 4 | ||||
| -rw-r--r-- | src/openvpn/ssl_verify_backend.h | 4 | ||||
| -rw-r--r-- | src/openvpn/ssl_verify_openssl.c | 4 |
7 files changed, 2 insertions, 54 deletions
diff --git a/configure.ac b/configure.ac index c622f33..efd29db 100644 --- a/configure.ac +++ b/configure.ac @@ -744,7 +744,7 @@ PKG_CHECK_MODULES( PKG_CHECK_MODULES( [OPENSSL_CRYPTO], - [libcrypto >= 0.9.6], + [libcrypto >= 0.9.8], [have_openssl_crypto="yes"], [AC_CHECK_LIB( [crypto], @@ -758,7 +758,7 @@ PKG_CHECK_MODULES( PKG_CHECK_MODULES( [OPENSSL_SSL], - [libssl >= 0.9.6], + [libssl >= 0.9.8], [have_openssl_ssl="yes"], [AC_CHECK_LIB( [ssl], diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 1501bc8..6199e61 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -57,33 +57,6 @@ #warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH #endif -/* - * - * Workarounds for incompatibilites between OpenSSL libraries. - * Right now we accept OpenSSL libraries from 0.9.5 to 0.9.7. - * - */ - -#if SSLEAY_VERSION_NUMBER < 0x00907000L - -/* Workaround: EVP_CIPHER_mode is defined wrong in OpenSSL 0.9.6 but is fixed in 0.9.7 */ -#undef EVP_CIPHER_mode -#define EVP_CIPHER_mode(e) (((e)->flags) & EVP_CIPH_MODE) - -#define DES_cblock des_cblock -#define DES_is_weak_key des_is_weak_key -#define DES_check_key_parity des_check_key_parity -#define DES_set_odd_parity des_set_odd_parity - -#define HMAC_CTX_init(ctx) CLEAR (*ctx) -#define HMAC_Init_ex(ctx,sec,len,md,impl) HMAC_Init(ctx, sec, len, md) -#define HMAC_CTX_cleanup(ctx) HMAC_cleanup(ctx) -#define EVP_MD_CTX_cleanup(md) CLEAR (*md) - -#define INFO_CALLBACK_SSL_CONST - -#endif - static inline int EVP_CipherInit_ov (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, uint8_t *key, uint8_t *iv, int enc) { diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c5746c5..18cb354 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -567,12 +567,7 @@ static const char usage_message[] = " root certificate.\n" #ifndef ENABLE_CRYPTO_POLARSSL "--capath dir : A directory of trusted certificates (CAs" -#if OPENSSL_VERSION_NUMBER >= 0x00907000L " and CRLs).\n" -#else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ - ").\n" - " WARNING: no support of CRL available with this version.\n" -#endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ #endif /* ENABLE_CRYPTO_POLARSSL */ "--dh file : File containing Diffie Hellman parameters\n" " in .pem format (for --tls-server only).\n" @@ -635,7 +630,6 @@ static const char usage_message[] = "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" #endif -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL "--remote-cert-ku v ... : Require that the peer certificate was signed with\n" " explicit key usage, you can specify more than one value.\n" " value should be given in hex format.\n" @@ -645,7 +639,6 @@ static const char usage_message[] = "--remote-cert-tls t: Require that peer certificate was signed with explicit\n" " key usage and extended key usage based on RFC3280 TLS rules.\n" " t = 'client' | 'server'.\n" -#endif /* OPENSSL_VERSION_NUMBER || ENABLE_CRYPTO_POLARSSL */ #endif /* ENABLE_SSL */ #ifdef ENABLE_PKCS11 "\n" @@ -6780,7 +6773,6 @@ add_option (struct options *options, goto err; } } -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL else if (streq (p[0], "remote-cert-ku")) { int j; @@ -6818,7 +6810,6 @@ add_option (struct options *options, goto err; } } -#endif /* OPENSSL_VERSION_NUMBER */ else if (streq (p[0], "tls-timeout") && p[1]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 68a1d59..2da7eba 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -848,11 +848,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, msg(M_WARN, "WARNING: experimental option --capath %s", ca_path); else msg(M_SSLERR, "Cannot add lookup at --capath %s", ca_path); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); -#else - msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath"); -#endif } } diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 4dd3aa2..765b886 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -337,8 +337,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, } } -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL - /* verify certificate ku */ if (opt->remote_cert_ku[0] != 0) { @@ -367,8 +365,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, } } -#endif /* OPENSSL_VERSION_NUMBER */ - /* verify X509 name or username against --verify-x509-[user]name */ if (opt->verify_x509_type != VERIFY_X509_NONE) { diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index 1658cc0..7d2aae6 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -189,8 +189,6 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es, */ result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int usage); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL - /* * Verify X.509 key usage extension field. * @@ -219,8 +217,6 @@ result_t x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned * const */ result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char * const expected_oid); -#endif - /* * Store the given certificate in pem format in a temporary file in tmp_dir * diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 658f5f3..cd2006f 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -459,8 +459,6 @@ x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage) return FAILURE; } -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - result_t x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, int expected_len) @@ -566,8 +564,6 @@ x509_write_pem(FILE *peercert_file, X509 *peercert) return SUCCESS; } -#endif /* OPENSSL_VERSION_NUMBER */ - /* * check peer cert against CRL */ |