From 8ccfbcfe728192e7988decebed979a2f40c84b4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 1 Jul 2024 11:05:18 +0200 Subject: [PATCH] Remove no longer needed OpenSSL shims and checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since the minimal OpenSSL version is now OpenSSL 1.1.1, remove all kind of OpenSSL shims and checks for functions that are now always present in the OpenSSL libraries. Co-authored-by: Ondřej Surý Co-authored-by: Aydın Mercan --- bin/named/main.c | 8 -- bin/tests/system/checkconf/tests.sh | 2 +- bin/tests/system/cipher-suites/prereq.sh | 21 --- bin/tests/system/feature-test.c | 9 -- configure.ac | 71 +--------- lib/dns/dst_api.c | 4 +- lib/dns/dst_internal.h | 2 - lib/dns/openssl_shim.c | 131 ------------------ lib/dns/openssl_shim.h | 68 ---------- lib/dns/openssleddsa_link.c | 14 +- lib/isc/openssl_shim.c | 142 +------------------- lib/isc/openssl_shim.h | 101 +------------- lib/isc/tls.c | 164 +---------------------- lib/isccfg/namedconf.c | 4 - 14 files changed, 14 insertions(+), 727 deletions(-) delete mode 100644 bin/tests/system/cipher-suites/prereq.sh diff --git a/bin/named/main.c b/bin/named/main.c index e5a17b2f45..2bb5c1292d 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -590,16 +590,8 @@ printversion(bool verbose) { printf("compiled by Solaris Studio %x\n", __SUNPRO_C); #endif /* ifdef __SUNPRO_C */ printf("compiled with OpenSSL version: %s\n", OPENSSL_VERSION_TEXT); -#if !defined(LIBRESSL_VERSION_NUMBER) && \ - OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */ printf("linked to OpenSSL version: %s\n", OpenSSL_version(OPENSSL_VERSION)); - -#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \ - * 0x10100000L */ - printf("linked to OpenSSL version: %s\n", - SSLeay_version(SSLEAY_VERSION)); -#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR, UV_VERSION_MINOR, UV_VERSION_PATCH); printf("linked to libuv version: %s\n", uv_version_string()); diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index ad7e2fbb47..474507156d 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -89,7 +89,7 @@ for good in good-*.conf; do good-proxy-*doh*.conf) continue ;; bad-proxy-*doh*.conf) continue ;; esac - elif ! $FEATURETEST --have-openssl-cipher-suites; then + else case $good in good-tls-cipher-suites-*.conf) continue ;; esac diff --git a/bin/tests/system/cipher-suites/prereq.sh b/bin/tests/system/cipher-suites/prereq.sh deleted file mode 100644 index 910359535c..0000000000 --- a/bin/tests/system/cipher-suites/prereq.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. ../conf.sh - -$FEATURETEST --have-openssl-cipher-suites || { - echo_i "SSL_CTX_set_ciphersuites() is required for the test." - exit 255 -} - -exit 0 diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c index 66731c513d..5b3c504d62 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -49,7 +49,6 @@ usage(void) { fprintf(stderr, "\t--have-geoip2\n"); fprintf(stderr, "\t--have-json-c\n"); fprintf(stderr, "\t--have-libxml2\n"); - fprintf(stderr, "\t--have-openssl-cipher-suites\n"); fprintf(stderr, "\t--ipv6only=no\n"); fprintf(stderr, "\t--md5\n"); fprintf(stderr, "\t--rsasha1\n"); @@ -185,14 +184,6 @@ main(int argc, char **argv) { #endif /* ifdef HAVE_LIBXML2 */ } - if (strcmp(argv[1], "--have-openssl-cipher-suites") == 0) { -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES - return (0); -#else /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */ - return (1); -#endif /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */ - } - if (strcmp(argv[1], "--tsan") == 0) { #if defined(__has_feature) #if __has_feature(thread_sanitizer) diff --git a/configure.ac b/configure.ac index f764eb1549..856920226b 100644 --- a/configure.ac +++ b/configure.ac @@ -664,53 +664,6 @@ LIBS="$OPENSSL_LIBS $LIBS" # # Check for functions added in OpenSSL or LibreSSL # - -AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex]) -AC_CHECK_FUNCS([BN_GENCB_new]) -AC_CHECK_FUNCS([CRYPTO_zalloc]) -AC_CHECK_FUNCS([ERR_get_error_all]) -AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free]) -AC_CHECK_FUNCS([EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset EVP_MD_CTX_get0_md]) -AC_CHECK_FUNCS([EVP_PKEY_new_raw_private_key EVP_PKEY_eq]) -AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup]) -AC_CHECK_FUNCS([SSL_CTX_set_keylog_callback]) -AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version]) -AC_CHECK_FUNCS([SSL_CTX_up_ref]) -AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex]) -AC_CHECK_FUNCS([SSL_CTX_set1_cert_store X509_STORE_up_ref]) -AC_CHECK_FUNCS([SSL_CTX_up_ref]) -AC_CHECK_FUNCS([SSL_SESSION_is_resumable]) -AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites]) - -# -# Check for algorithm support in OpenSSL -# - -AC_CHECK_FUNCS([EVP_DigestSignInit EVP_DigestVerifyInit], [:], - [AC_MSG_FAILURE([EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL is mandatory.])]) - -AC_MSG_CHECKING([for ECDSA P-256 support]) -AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM([[#include ]], - [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_X9_62_prime256v1, NULL);]])], - [AC_MSG_RESULT([yes])], - [AC_MSG_FAILURE([not found. ECDSA P-256 support in OpenSSL is mandatory.])]) - -AC_MSG_CHECKING([for ECDSA P-384 support]) -AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM([[#include ]], - [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_secp384r1, NULL);]])], - [AC_MSG_RESULT([yes])], - [AC_MSG_FAILURE([not found. ECDSA P-384 support in OpenSSL is mandatory.])]) - -AC_MSG_CHECKING([for Ed25519 support]) -AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM([[#include ]], - [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);]])], - [AC_DEFINE([HAVE_OPENSSL_ED25519], [1], [define if OpenSSL supports Ed25519]) - AC_MSG_RESULT([yes])], - [AC_MSG_RESULT([no])]) - AC_MSG_CHECKING([for Ed448 support]) AC_COMPILE_IFELSE( [AC_LANG_PROGRAM([[#include ]], @@ -719,25 +672,11 @@ AC_COMPILE_IFELSE( AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no])]) -# -# Check for OpenSSL SHA-1 support -# -AC_CHECK_FUNCS([EVP_sha1], [:], - [AC_MSG_FAILURE([SHA-1 support in OpenSSL is mandatory.])]) - -# -# Check for OpenSSL SHA-2 support -# -AC_CHECK_FUNCS([EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [:], - [AC_MSG_FAILURE([SHA-2 support in OpenSSL is mandatory.])]) - -# -# Check for OpenSSL 1.1.x/LibreSSL functions -# -AC_CHECK_FUNCS([ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY]) -AC_CHECK_FUNCS([RSA_set0_key EVP_PKEY_get0_RSA]) - -AC_CHECK_FUNCS([TLS_server_method TLS_client_method]) +AC_CHECK_FUNCS([ERR_get_error_all]) +AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex]) +AC_CHECK_FUNCS([EVP_MD_CTX_get0_md]) +AC_CHECK_FUNCS([EVP_PKEY_eq]) +AC_CHECK_FUNCS([SSL_CTX_set1_cert_store]) # # Check whether FIPS mode is available and whether we should enable it diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index ac35b4dab2..487bb84bee 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -217,14 +217,12 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { DST_ALG_RSASHA512)); RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); -#ifdef HAVE_OPENSSL_ED25519 RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519], DST_ALG_ED25519)); -#endif /* ifdef HAVE_OPENSSL_ED25519 */ #ifdef HAVE_OPENSSL_ED448 RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448], DST_ALG_ED448)); -#endif /* ifdef HAVE_OPENSSL_ED448 */ +#endif /* HAVE_OPENSSL_ED448 */ #if HAVE_GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index a78b710738..cf902deaa6 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -214,10 +214,8 @@ isc_result_t dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); isc_result_t dst__opensslecdsa_init(struct dst_func **funcp); -#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 isc_result_t dst__openssleddsa_init(struct dst_func **funcp, unsigned char algorithm); -#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */ #if HAVE_GSSAPI isc_result_t dst__gssapi_init(struct dst_func **funcp); diff --git a/lib/dns/openssl_shim.c b/lib/dns/openssl_shim.c index 128ffd3eb1..1034713b8d 100644 --- a/lib/dns/openssl_shim.c +++ b/lib/dns/openssl_shim.c @@ -15,137 +15,6 @@ #include -#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L -/* From OpenSSL 1.1.0 */ -int -RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { - /* - * If the fields n and e in r are NULL, the corresponding input - * parameters MUST be non-NULL for n and e. d may be - * left NULL (in case only the public key is used). - */ - if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) { - return (0); - } - - if (n != NULL) { - BN_free(r->n); - r->n = n; - } - if (e != NULL) { - BN_free(r->e); - r->e = e; - } - if (d != NULL) { - BN_clear_free(r->d); - r->d = d; - } - - return (1); -} - -int -RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) { - /* - * If the fields p and q in r are NULL, the corresponding input - * parameters MUST be non-NULL. - */ - if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) { - return (0); - } - - if (p != NULL) { - BN_clear_free(r->p); - r->p = p; - } - if (q != NULL) { - BN_clear_free(r->q); - r->q = q; - } - - return (1); -} - -int -RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) { - /* - * If the fields dmp1, dmq1 and iqmp in r are NULL, the - * corresponding input parameters MUST be non-NULL. - */ - if ((r->dmp1 == NULL && dmp1 == NULL) || - (r->dmq1 == NULL && dmq1 == NULL) || - (r->iqmp == NULL && iqmp == NULL)) - { - return (0); - } - - if (dmp1 != NULL) { - BN_clear_free(r->dmp1); - r->dmp1 = dmp1; - } - if (dmq1 != NULL) { - BN_clear_free(r->dmq1); - r->dmq1 = dmq1; - } - if (iqmp != NULL) { - BN_clear_free(r->iqmp); - r->iqmp = iqmp; - } - - return (1); -} - -void -RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, - const BIGNUM **d) { - SET_IF_NOT_NULL(n, r->n); - SET_IF_NOT_NULL(e, r->e); - SET_IF_NOT_NULL(d, r->d); -} - -void -RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) { - SET_IF_NOT_NULL(p, r->p); - SET_IF_NOT_NULL(q, r->q); -} - -void -RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, - const BIGNUM **iqmp) { - SET_IF_NOT_NULL(dmp1, r->dmp1); - SET_IF_NOT_NULL(dmq1, r->dmq1); - SET_IF_NOT_NULL(iqmp, r->iqmp); -} - -int -RSA_test_flags(const RSA *r, int flags) { - return (r->flags & flags); -} -#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */ - -#if !HAVE_ECDSA_SIG_GET0 -/* From OpenSSL 1.1 */ -void -ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) { - SET_IF_NOT_NULL(pr, sig->r); - SET_IF_NOT_NULL(ps, sig->s); -} - -int -ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { - if (r == NULL || s == NULL) { - return (0); - } - - BN_clear_free(sig->r); - BN_clear_free(sig->s); - sig->r = r; - sig->s = s; - - return (1); -} -#endif /* !HAVE_ECDSA_SIG_GET0 */ - #if !HAVE_ERR_GET_ERROR_ALL static const char err_empty_string = '\0'; diff --git a/lib/dns/openssl_shim.h b/lib/dns/openssl_shim.h index a0b87626db..72d462d0bd 100644 --- a/lib/dns/openssl_shim.h +++ b/lib/dns/openssl_shim.h @@ -28,74 +28,6 @@ #define RSA_MAX_PUBEXP_BITS 35 #endif /* ifndef RSA_MAX_PUBEXP_BITS */ -#if !HAVE_BN_GENCB_NEW -/* These are new in OpenSSL 1.1.0. */ -static inline BN_GENCB * -BN_GENCB_new(void) { - return (OPENSSL_malloc(sizeof(BN_GENCB))); -} - -static inline void -BN_GENCB_free(BN_GENCB *cb) { - if (cb == NULL) { - return; - } - OPENSSL_free(cb); -} - -static inline void * -BN_GENCB_get_arg(BN_GENCB *cb) { - return cb->arg; -} -#endif /* !HAVE_BN_GENCB_NEW */ - -#if !HAVE_EVP_PKEY_GET0_RSA && OPENSSL_VERSION_NUMBER < 0x10100000L -static inline const RSA * -EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) { - return (pkey->type == EVP_PKEY_RSA ? pkey->pkey.rsa : NULL); -} -#endif - -#if !HAVE_EVP_PKEY_GET0_EC_KEY && OPENSSL_VERSION_NUMBER < 0x10100000L -static inline const EC_KEY * -EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) { - return (pkey->type == EVP_PKEY_EC ? pkey->pkey.ec : NULL); -} -#endif - -#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L -int -RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); - -int -RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); - -int -RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); - -void -RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, - const BIGNUM **d); - -void -RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); - -void -RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, - const BIGNUM **iqmp); - -int -RSA_test_flags(const RSA *r, int flags); -#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */ - -#if !HAVE_ECDSA_SIG_GET0 -void -ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); - -int -ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); -#endif /* !HAVE_ECDSA_SIG_GET0 */ - #if !HAVE_ERR_GET_ERROR_ALL unsigned long ERR_get_error_all(const char **file, int *line, const char **func, diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index a807638387..a299bd0227 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -13,8 +13,6 @@ /*! \file */ -#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 - #include #include @@ -41,11 +39,9 @@ goto err; \ } -#if HAVE_OPENSSL_ED25519 #ifndef NID_ED25519 #error "Ed25519 group is not known (NID_ED25519)" #endif /* ifndef NID_ED25519 */ -#endif /* HAVE_OPENSSL_ED25519 */ #if HAVE_OPENSSL_ED448 #ifndef NID_ED448 @@ -60,7 +56,6 @@ typedef struct eddsa_alginfo { static const eddsa_alginfo_t * openssleddsa_alg_info(unsigned int key_alg) { -#if HAVE_OPENSSL_ED25519 if (key_alg == DST_ALG_ED25519) { static const eddsa_alginfo_t ed25519_alginfo = { .pkey_type = EVP_PKEY_ED25519, @@ -70,7 +65,6 @@ openssleddsa_alg_info(unsigned int key_alg) { }; return &ed25519_alginfo; } -#endif /* HAVE_OPENSSL_ED25519 */ #if HAVE_OPENSSL_ED448 if (key_alg == DST_ALG_ED448) { static const eddsa_alginfo_t ed448_alginfo = { @@ -586,7 +580,6 @@ static unsigned char ed448_sig[] = "\xb4\xee\x3f\x0e\x2b\x35\xdd\x5a\x35\xfe\x35\x00"; #endif -#if HAVE_OPENSSL_ED25519 static unsigned char ed25519_pub[] = "\x66\x5c\x21\x59\xe3\xa0\x6e\xa3\x7d\x82\x7c\xf1\xe7\xa3\xdd\xaf\xd1" "\x6d\x92\x81\xfb\x09\x0c\x7c\xfe\x6d\xf8\x87\x24\x7e\x6e\x25"; @@ -595,7 +588,6 @@ static unsigned char ed25519_sig[] = "\x38\xa3\x9c\xa3\x42\x4d\xc8\x89\xff\x84\xea\x2c\xa8\x8b\xfa\x2f\xab" "\x75\x7c\x68\x95\xfd\xdf\x62\x60\x4e\x4d\x10\xf8\x3c\xae\xcf\x18\x93" "\x90\x05\xa4\x54\x38\x45\x2f\x81\x71\x1e\x0f\x46\x04"; -#endif static isc_result_t check_algorithm(unsigned char algorithm) { @@ -621,8 +613,7 @@ check_algorithm(unsigned char algorithm) { key_len = sizeof(ed448_pub) - 1; alginfo = openssleddsa_alg_info(algorithm); break; -#endif -#if HAVE_OPENSSL_ED25519 +#endif /* HAVE_OPENSSL_ED448 */ case DST_ALG_ED25519: sig = ed25519_sig; sig_len = sizeof(ed25519_sig) - 1; @@ -630,7 +621,6 @@ check_algorithm(unsigned char algorithm) { key_len = sizeof(ed25519_pub) - 1; alginfo = openssleddsa_alg_info(algorithm); break; -#endif default: DST_RET(ISC_R_NOTIMPLEMENTED); } @@ -673,5 +663,3 @@ dst__openssleddsa_init(dst_func_t **funcp, unsigned char algorithm) { } return (ISC_R_SUCCESS); } - -#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */ diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c index c39ba8c682..08bc9c56a9 100644 --- a/lib/isc/openssl_shim.c +++ b/lib/isc/openssl_shim.c @@ -24,81 +24,6 @@ #include "openssl_shim.h" -#if !HAVE_CRYPTO_ZALLOC -void * -CRYPTO_zalloc(size_t num, const char *file, int line) { - void *ret = CRYPTO_malloc(num, file, line); - if (ret != NULL) { - memset(ret, 0, num); - } - return (ret); -} -#endif /* if !HAVE_CRYPTO_ZALLOC */ - -#if !HAVE_EVP_CIPHER_CTX_NEW -EVP_CIPHER_CTX * -EVP_CIPHER_CTX_new(void) { - EVP_CIPHER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); - return (ctx); -} -#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */ - -#if !HAVE_EVP_CIPHER_CTX_FREE -void -EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) { - if (ctx != NULL) { - EVP_CIPHER_CTX_cleanup(ctx); - OPENSSL_free(ctx); - } -} -#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */ - -#if !HAVE_EVP_MD_CTX_RESET -int -EVP_MD_CTX_reset(EVP_MD_CTX *ctx) { - return (EVP_MD_CTX_cleanup(ctx)); -} -#endif /* if !HAVE_EVP_MD_CTX_RESET */ - -#if !HAVE_SSL_READ_EX -int -SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) { - int rv = SSL_read(ssl, buf, num); - if (rv > 0) { - *readbytes = rv; - rv = 1; - } - - return (rv); -} -#endif - -#if !HAVE_SSL_PEEK_EX -int -SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) { - int rv = SSL_peek(ssl, buf, num); - if (rv > 0) { - *readbytes = rv; - rv = 1; - } - - return (rv); -} -#endif - -#if !HAVE_SSL_WRITE_EX -int -SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written) { - int rv = SSL_write(ssl, buf, num); - if (rv > 0) { - *written = rv; - rv = 1; - } - - return (rv); -} -#endif - #if !HAVE_BIO_READ_EX int BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) { @@ -110,7 +35,7 @@ BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) { return (rv); } -#endif +#endif /* !HAVE_BIO_READ_EX */ #if !HAVE_BIO_WRITE_EX int @@ -123,76 +48,13 @@ BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written) { return (rv); } -#endif - -#if !HAVE_OPENSSL_INIT_CRYPTO -int -OPENSSL_init_crypto(uint64_t opts, const void *settings) { - (void)settings; - - if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) == 0) { - ERR_load_crypto_strings(); - } - - if ((opts & (OPENSSL_INIT_NO_ADD_ALL_CIPHERS | - OPENSSL_INIT_NO_ADD_ALL_CIPHERS)) == 0) - { - OpenSSL_add_all_algorithms(); - } else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) { - OpenSSL_add_all_digests(); - } else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) { - OpenSSL_add_all_ciphers(); - } - - return (1); -} -#endif - -#if !HAVE_OPENSSL_INIT_SSL -int -OPENSSL_init_ssl(uint64_t opts, const void *settings) { - OPENSSL_init_crypto(opts, settings); - - SSL_library_init(); - - if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS) == 0) { - SSL_load_error_strings(); - } - - return (1); -} -#endif - -#if !HAVE_OPENSSL_CLEANUP -void -OPENSSL_cleanup(void) { - return; -} -#endif - -#if !HAVE_X509_STORE_UP_REF - -int -X509_STORE_up_ref(X509_STORE *store) { - return (CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE) > 0); -} - -#endif /* !HAVE_OPENSSL_CLEANUP */ +#endif /* !HAVE_BIO_WRITE_EX */ #if !HAVE_SSL_CTX_SET1_CERT_STORE - void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) { (void)X509_STORE_up_ref(store); SSL_CTX_set_cert_store(ctx, store); } - #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */ - -#if !HAVE_SSL_CTX_UP_REF -int -SSL_CTX_up_ref(SSL_CTX *ctx) { - return (CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX) > 0); -} -#endif /* !HAVE_SSL_CTX_UP_REF */ diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h index b2916e20a9..f7f6f5ae56 100644 --- a/lib/isc/openssl_shim.h +++ b/lib/isc/openssl_shim.h @@ -20,118 +20,21 @@ #include #include -#if !HAVE_CRYPTO_ZALLOC -void * -CRYPTO_zalloc(size_t num, const char *file, int line); -#endif /* if !HAVE_CRYPTO_ZALLOC */ - -#if !defined(OPENSSL_zalloc) -#define OPENSSL_zalloc(num) CRYPTO_zalloc(num, __FILE__, __LINE__) -#endif - -#if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY -#define EVP_PKEY_new_raw_private_key(type, e, key, keylen) \ - EVP_PKEY_new_mac_key(type, e, key, (int)(keylen)) -#endif /* if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY */ - -#if !HAVE_EVP_CIPHER_CTX_NEW -EVP_CIPHER_CTX * -EVP_CIPHER_CTX_new(void); -#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */ - -#if !HAVE_EVP_CIPHER_CTX_FREE -void -EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx); -#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */ - -#if !HAVE_EVP_MD_CTX_NEW -#define EVP_MD_CTX_new EVP_MD_CTX_create -#endif /* if !HAVE_EVP_MD_CTX_NEW */ - -#if !HAVE_EVP_MD_CTX_FREE -#define EVP_MD_CTX_free EVP_MD_CTX_destroy -#endif /* if !HAVE_EVP_MD_CTX_FREE */ - -#if !HAVE_EVP_MD_CTX_RESET -int -EVP_MD_CTX_reset(EVP_MD_CTX *ctx); -#endif /* if !HAVE_EVP_MD_CTX_RESET */ - #if !HAVE_EVP_MD_CTX_GET0_MD #define EVP_MD_CTX_get0_md EVP_MD_CTX_md #endif /* if !HAVE_EVP_MD_CTX_GET0_MD */ -#if !HAVE_SSL_READ_EX -int -SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes); -#endif - -#if !HAVE_SSL_PEEK_EX -int -SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes); -#endif - -#if !HAVE_SSL_WRITE_EX -int -SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written); -#endif - #if !HAVE_BIO_READ_EX int BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes); -#endif +#endif /* !HAVE_BIO_READ_EX */ #if !HAVE_BIO_WRITE_EX int BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written); -#endif - -#if !HAVE_OPENSSL_INIT_CRYPTO - -#define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0x00000001L -#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0x00000002L -#define OPENSSL_INIT_ADD_ALL_CIPHERS 0x00000004L -#define OPENSSL_INIT_ADD_ALL_DIGESTS 0x00000008L -#define OPENSSL_INIT_NO_ADD_ALL_CIPHERS 0x00000010L -#define OPENSSL_INIT_NO_ADD_ALL_DIGESTS 0x00000020L - -int -OPENSSL_init_crypto(uint64_t opts, const void *settings); -#endif - -#if !HAVE_OPENSSL_INIT_SSL -#define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L -#define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L - -int -OPENSSL_init_ssl(uint64_t opts, const void *settings); - -#endif - -#if !HAVE_OPENSSL_CLEANUP -void -OPENSSL_cleanup(void); -#endif - -#if !HAVE_TLS_SERVER_METHOD -#define TLS_server_method SSLv23_server_method -#endif - -#if !HAVE_TLS_CLIENT_METHOD -#define TLS_client_method SSLv23_client_method -#endif - -#if !HAVE_X509_STORE_UP_REF -int -X509_STORE_up_ref(X509_STORE *v); -#endif /* !HAVE_OPENSSL_CLEANUP */ +#endif /* !HAVE_BIO_WRITE_EX */ #if !HAVE_SSL_CTX_SET1_CERT_STORE void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store); #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */ - -#if !HAVE_SSL_CTX_UP_REF -int -SSL_CTX_up_ref(SSL_CTX *store); -#endif /* !HAVE_SSL_CTX_UP_REF */ diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 281c09a92e..504b221115 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -56,27 +56,6 @@ static isc_mem_t *isc__tls_mctx = NULL; -#if OPENSSL_VERSION_NUMBER < 0x10100000L -static isc_mutex_t *locks = NULL; -static int nlocks; - -static void -isc__tls_lock_callback(int mode, int type, const char *file, int line) { - UNUSED(file); - UNUSED(line); - if ((mode & CRYPTO_LOCK) != 0) { - LOCK(&locks[type]); - } else { - UNLOCK(&locks[type]); - } -} - -static void -isc__tls_set_thread_id(CRYPTO_THREADID *id) { - CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self()); -} -#endif - #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L /* * This was crippled with LibreSSL, so just skip it: @@ -163,7 +142,6 @@ isc__tls_initialize(void) { #endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \ 0x30000000L */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG; #if defined(OPENSSL_INIT_NO_ATEXIT) @@ -175,28 +153,6 @@ isc__tls_initialize(void) { #endif RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1); -#else - nlocks = CRYPTO_num_locks(); - locks = isc_mem_cget(isc__tls_mctx, nlocks, sizeof(locks[0])); - isc_mutexblock_init(locks, nlocks); - CRYPTO_set_locking_callback(isc__tls_lock_callback); - CRYPTO_THREADID_set_callback(isc__tls_set_thread_id); - - CRYPTO_malloc_init(); - ERR_load_crypto_strings(); - SSL_load_error_strings(); - SSL_library_init(); - -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - ENGINE_load_builtin_engines(); -#endif - OpenSSL_add_all_algorithms(); - OPENSSL_load_builtin_modules(); - - CONF_modules_load_file(NULL, NULL, - CONF_MFLAGS_DEFAULT_SECTION | - CONF_MFLAGS_IGNORE_MISSING_FILE); -#endif /* Protect ourselves against unseeded PRNG */ if (RAND_status() != 1) { @@ -208,28 +164,7 @@ isc__tls_initialize(void) { void isc__tls_shutdown(void) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L OPENSSL_cleanup(); -#else - CONF_modules_unload(1); - OBJ_cleanup(); - EVP_cleanup(); -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - ENGINE_cleanup(); -#endif - CRYPTO_cleanup_all_ex_data(); - ERR_remove_thread_state(NULL); - RAND_cleanup(); - ERR_free_strings(); - - CRYPTO_set_locking_callback(NULL); - - if (locks != NULL) { - isc_mutexblock_destroy(locks, nlocks); - isc_mem_cput(isc__tls_mctx, locks, nlocks, sizeof(locks[0])); - locks = NULL; - } -#endif isc_mem_destroy(&isc__tls_mctx); } @@ -260,15 +195,12 @@ isc_tlsctx_attach(isc_tlsctx_t *src, isc_tlsctx_t **ptarget) { *ptarget = src; } -#if HAVE_SSL_CTX_SET_KEYLOG_CALLBACK /* * Callback invoked by the SSL library whenever a new TLS pre-master secret * needs to be logged. */ static void -sslkeylogfile_append(const SSL *ssl, const char *line) { - UNUSED(ssl); - +sslkeylogfile_append(const SSL *ssl ISC_ATTR_UNUSED, const char *line) { isc_log_write(isc_lctx, ISC_LOGCATEGORY_SSLKEYLOG, ISC_LOGMODULE_NETMGR, ISC_LOG_INFO, "%s", line); } @@ -284,9 +216,6 @@ sslkeylogfile_init(isc_tlsctx_t *ctx) { SSL_CTX_set_keylog_callback(ctx, sslkeylogfile_append); } } -#else /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */ -#define sslkeylogfile_init(ctx) -#endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */ isc_result_t isc_tlsctx_createclient(isc_tlsctx_t **ctxp) { @@ -308,12 +237,7 @@ isc_tlsctx_createclient(isc_tlsctx_t **ctxp) { SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS); -#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); -#else - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); -#endif sslkeylogfile_init(ctx); @@ -384,12 +308,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS); -#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); -#else - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); -#endif if (ephemeral) { const int group_nid = NID_X9_62_prime256v1; @@ -415,27 +334,10 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, } /* Use a named curve and uncompressed point conversion form. */ -#if HAVE_EVP_PKEY_GET0_EC_KEY EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey), OPENSSL_EC_NAMED_CURVE); EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey), POINT_CONVERSION_UNCOMPRESSED); -#else - EC_KEY_set_asn1_flag(pkey->pkey.ec, OPENSSL_EC_NAMED_CURVE); - EC_KEY_set_conv_form(pkey->pkey.ec, - POINT_CONVERSION_UNCOMPRESSED); -#endif /* HAVE_EVP_PKEY_GET0_EC_KEY */ - -#if defined(SSL_CTX_set_ecdh_auto) - /* - * Using this macro is required for older versions of OpenSSL to - * automatically enable ECDH support. - * - * On later versions this function is no longer needed and is - * deprecated. - */ - (void)SSL_CTX_set_ecdh_auto(ctx, 1); -#endif /* defined(SSL_CTX_set_ecdh_auto) */ /* Cleanup */ EC_KEY_free(eckey); @@ -494,20 +396,12 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, * Set the "not before" property 5 minutes into the past to * accommodate with some possible clock skew across systems. */ -#if OPENSSL_VERSION_NUMBER < 0x10101000L - X509_gmtime_adj(X509_get_notBefore(cert), -300); -#else X509_gmtime_adj(X509_getm_notBefore(cert), -300); -#endif /* * We set the vailidy for 10 years. */ -#if OPENSSL_VERSION_NUMBER < 0x10101000L - X509_gmtime_adj(X509_get_notAfter(cert), 3650 * 24 * 3600); -#else X509_gmtime_adj(X509_getm_notAfter(cert), 3650 * 24 * 3600); -#endif X509_set_pubkey(cert, pkey); @@ -784,7 +678,6 @@ isc_tlsctx_set_cipherlist(isc_tlsctx_t *ctx, const char *cipherlist) { bool isc_tls_cipher_suites_valid(const char *cipher_suites) { -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES isc_tlsctx_t *tmp_ctx = NULL; const SSL_METHOD *method = NULL; bool result; @@ -808,27 +701,15 @@ isc_tls_cipher_suites_valid(const char *cipher_suites) { isc_tlsctx_free(&tmp_ctx); return (result); -#else - UNUSED(cipher_suites); - - UNREACHABLE(); -#endif } void isc_tlsctx_set_cipher_suites(isc_tlsctx_t *ctx, const char *cipher_suites) { -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES REQUIRE(ctx != NULL); REQUIRE(cipher_suites != NULL); REQUIRE(*cipher_suites != '\0'); RUNTIME_CHECK(SSL_CTX_set_ciphersuites(ctx, cipher_suites) == 1); -#else - UNUSED(ctx); - UNUSED(cipher_suites); - - UNREACHABLE(); -#endif } void @@ -916,10 +797,8 @@ isc_tlsctx_enable_http2client_alpn(isc_tlsctx_t *ctx) { SSL_CTX_set_next_proto_select_cb(ctx, select_next_proto_cb, NULL); #endif /* !OPENSSL_NO_NEXTPROTONEG */ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)NGHTTP2_PROTO_ALPN, NGHTTP2_PROTO_ALPN_LEN); -#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */ } #ifndef OPENSSL_NO_NEXTPROTONEG @@ -935,7 +814,6 @@ next_proto_cb(isc_tls_t *ssl, const unsigned char **data, unsigned int *len, } #endif /* !OPENSSL_NO_NEXTPROTONEG */ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) { @@ -953,7 +831,6 @@ alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, return (SSL_TLSEXT_ERR_OK); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */ void isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) { @@ -962,9 +839,7 @@ isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) { #ifndef OPENSSL_NO_NEXTPROTONEG SSL_CTX_set_next_protos_advertised_cb(tls, next_proto_cb, NULL); #endif // OPENSSL_NO_NEXTPROTONEG -#if OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_CTX_set_alpn_select_cb(tls, alpn_select_proto_cb, NULL); -#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L } #endif /* HAVE_LIBNGHTTP2 */ @@ -978,11 +853,9 @@ isc_tls_get_selected_alpn(isc_tls_t *tls, const unsigned char **alpn, #ifndef OPENSSL_NO_NEXTPROTONEG SSL_get0_next_proto_negotiated(tls, alpn, alpnlen); #endif -#if OPENSSL_VERSION_NUMBER >= 0x10002000L if (*alpn == NULL) { SSL_get0_alpn_selected(tls, alpn, alpnlen); } -#endif } static bool @@ -1015,13 +888,10 @@ void isc_tlsctx_enable_dot_client_alpn(isc_tlsctx_t *ctx) { REQUIRE(ctx != NULL); -#if OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_CTX_set_alpn_protos(ctx, (const uint8_t *)DOT_PROTO_ALPN, DOT_PROTO_ALPN_LEN); -#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */ } -#if OPENSSL_VERSION_NUMBER >= 0x10002000L static int dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, @@ -1039,15 +909,12 @@ dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out, return (SSL_TLSEXT_ERR_OK); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */ void isc_tlsctx_enable_dot_server_alpn(isc_tlsctx_t *tls) { REQUIRE(tls != NULL); -#if OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_CTX_set_alpn_select_cb(tls, dot_alpn_select_proto_cb, NULL); -#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L } isc_result_t @@ -1608,33 +1475,6 @@ isc_tlsctx_client_session_cache_detach( isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache)); } -static bool -ssl_session_seems_resumable(const SSL_SESSION *sess) { -#ifdef HAVE_SSL_SESSION_IS_RESUMABLE - /* - * If SSL_SESSION_is_resumable() is available, let's use that. It - * is expected to be available on OpenSSL >= 1.1.1 and its modern - * siblings. - */ - return (SSL_SESSION_is_resumable(sess) != 0); -#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L) - /* - * Taking into consideration that OpenSSL 1.1.0 uses opaque - * pointers for SSL_SESSION, we cannot implement a replacement for - * SSL_SESSION_is_resumable() manually. Let's use a sensible - * approximation for that, then: if there is an associated session - * ticket or session ID, then, most likely, the session is - * resumable. - */ - unsigned int session_id_len = 0; - (void)SSL_SESSION_get_id(sess, &session_id_len); - return (SSL_SESSION_has_ticket(sess) || session_id_len > 0); -#else - return (!sess->not_resumable && - (sess->session_id_length > 0 || sess->tlsext_ticklen > 0)); -#endif -} - void isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache, char *remote_peer_name, isc_tls_t *tls) { @@ -1652,7 +1492,7 @@ isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache, if (sess == NULL) { ERR_clear_error(); return; - } else if (!ssl_session_seems_resumable(sess)) { + } else if (SSL_SESSION_is_resumable(sess) == 0) { SSL_SESSION_free(sess); return; } diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index a69c559f38..9daadc48a9 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -4058,11 +4058,7 @@ static cfg_clausedef_t tls_clauses[] = { { "dhparam-file", &cfg_type_qstring, 0 }, { "protocols", &cfg_type_tlsprotos, 0 }, { "ciphers", &cfg_type_astring, 0 }, -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES { "cipher-suites", &cfg_type_astring, 0 }, -#else - { "cipher-suites", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED }, -#endif { "prefer-server-ciphers", &cfg_type_boolean, 0 }, { "session-tickets", &cfg_type_boolean, 0 }, { NULL, NULL, 0 }