OpenSSL 0.9.7 and older are considered obsolete (see
http://www.openssl.org/news/news.html). This patch updates configure.ac to
require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are
now no longer needed.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8392
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -744,7 +744,7 @@ PKG_CHECK_MODULES( |
744 | 744 |
|
745 | 745 |
PKG_CHECK_MODULES( |
746 | 746 |
[OPENSSL_CRYPTO], |
747 |
- [libcrypto >= 0.9.6], |
|
747 |
+ [libcrypto >= 0.9.8], |
|
748 | 748 |
[have_openssl_crypto="yes"], |
749 | 749 |
[AC_CHECK_LIB( |
750 | 750 |
[crypto], |
... | ... |
@@ -758,7 +758,7 @@ PKG_CHECK_MODULES( |
758 | 758 |
|
759 | 759 |
PKG_CHECK_MODULES( |
760 | 760 |
[OPENSSL_SSL], |
761 |
- [libssl >= 0.9.6], |
|
761 |
+ [libssl >= 0.9.8], |
|
762 | 762 |
[have_openssl_ssl="yes"], |
763 | 763 |
[AC_CHECK_LIB( |
764 | 764 |
[ssl], |
... | ... |
@@ -57,33 +57,6 @@ |
57 | 57 |
#warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH |
58 | 58 |
#endif |
59 | 59 |
|
60 |
-/* |
|
61 |
- * |
|
62 |
- * Workarounds for incompatibilites between OpenSSL libraries. |
|
63 |
- * Right now we accept OpenSSL libraries from 0.9.5 to 0.9.7. |
|
64 |
- * |
|
65 |
- */ |
|
66 |
- |
|
67 |
-#if SSLEAY_VERSION_NUMBER < 0x00907000L |
|
68 |
- |
|
69 |
-/* Workaround: EVP_CIPHER_mode is defined wrong in OpenSSL 0.9.6 but is fixed in 0.9.7 */ |
|
70 |
-#undef EVP_CIPHER_mode |
|
71 |
-#define EVP_CIPHER_mode(e) (((e)->flags) & EVP_CIPH_MODE) |
|
72 |
- |
|
73 |
-#define DES_cblock des_cblock |
|
74 |
-#define DES_is_weak_key des_is_weak_key |
|
75 |
-#define DES_check_key_parity des_check_key_parity |
|
76 |
-#define DES_set_odd_parity des_set_odd_parity |
|
77 |
- |
|
78 |
-#define HMAC_CTX_init(ctx) CLEAR (*ctx) |
|
79 |
-#define HMAC_Init_ex(ctx,sec,len,md,impl) HMAC_Init(ctx, sec, len, md) |
|
80 |
-#define HMAC_CTX_cleanup(ctx) HMAC_cleanup(ctx) |
|
81 |
-#define EVP_MD_CTX_cleanup(md) CLEAR (*md) |
|
82 |
- |
|
83 |
-#define INFO_CALLBACK_SSL_CONST |
|
84 |
- |
|
85 |
-#endif |
|
86 |
- |
|
87 | 60 |
static inline int |
88 | 61 |
EVP_CipherInit_ov (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, uint8_t *key, uint8_t *iv, int enc) |
89 | 62 |
{ |
... | ... |
@@ -567,12 +567,7 @@ static const char usage_message[] = |
567 | 567 |
" root certificate.\n" |
568 | 568 |
#ifndef ENABLE_CRYPTO_POLARSSL |
569 | 569 |
"--capath dir : A directory of trusted certificates (CAs" |
570 |
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L |
|
571 | 570 |
" and CRLs).\n" |
572 |
-#else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ |
|
573 |
- ").\n" |
|
574 |
- " WARNING: no support of CRL available with this version.\n" |
|
575 |
-#endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ |
|
576 | 571 |
#endif /* ENABLE_CRYPTO_POLARSSL */ |
577 | 572 |
"--dh file : File containing Diffie Hellman parameters\n" |
578 | 573 |
" in .pem format (for --tls-server only).\n" |
... | ... |
@@ -635,7 +630,6 @@ static const char usage_message[] = |
635 | 635 |
"--x509-track x : Save peer X509 attribute x in environment for use by\n" |
636 | 636 |
" plugins and management interface.\n" |
637 | 637 |
#endif |
638 |
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL |
|
639 | 638 |
"--remote-cert-ku v ... : Require that the peer certificate was signed with\n" |
640 | 639 |
" explicit key usage, you can specify more than one value.\n" |
641 | 640 |
" value should be given in hex format.\n" |
... | ... |
@@ -645,7 +639,6 @@ static const char usage_message[] = |
645 | 645 |
"--remote-cert-tls t: Require that peer certificate was signed with explicit\n" |
646 | 646 |
" key usage and extended key usage based on RFC3280 TLS rules.\n" |
647 | 647 |
" t = 'client' | 'server'.\n" |
648 |
-#endif /* OPENSSL_VERSION_NUMBER || ENABLE_CRYPTO_POLARSSL */ |
|
649 | 648 |
#endif /* ENABLE_SSL */ |
650 | 649 |
#ifdef ENABLE_PKCS11 |
651 | 650 |
"\n" |
... | ... |
@@ -6780,7 +6773,6 @@ add_option (struct options *options, |
6780 | 6780 |
goto err; |
6781 | 6781 |
} |
6782 | 6782 |
} |
6783 |
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL |
|
6784 | 6783 |
else if (streq (p[0], "remote-cert-ku")) |
6785 | 6784 |
{ |
6786 | 6785 |
int j; |
... | ... |
@@ -6818,7 +6810,6 @@ add_option (struct options *options, |
6818 | 6818 |
goto err; |
6819 | 6819 |
} |
6820 | 6820 |
} |
6821 |
-#endif /* OPENSSL_VERSION_NUMBER */ |
|
6822 | 6821 |
else if (streq (p[0], "tls-timeout") && p[1]) |
6823 | 6822 |
{ |
6824 | 6823 |
VERIFY_PERMISSION (OPT_P_TLS_PARMS); |
... | ... |
@@ -848,11 +848,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
848 | 848 |
msg(M_WARN, "WARNING: experimental option --capath %s", ca_path); |
849 | 849 |
else |
850 | 850 |
msg(M_SSLERR, "Cannot add lookup at --capath %s", ca_path); |
851 |
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L |
|
852 | 851 |
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); |
853 |
-#else |
|
854 |
- msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath"); |
|
855 |
-#endif |
|
856 | 852 |
} |
857 | 853 |
} |
858 | 854 |
|
... | ... |
@@ -337,8 +337,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, |
337 | 337 |
} |
338 | 338 |
} |
339 | 339 |
|
340 |
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL |
|
341 |
- |
|
342 | 340 |
/* verify certificate ku */ |
343 | 341 |
if (opt->remote_cert_ku[0] != 0) |
344 | 342 |
{ |
... | ... |
@@ -367,8 +365,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, |
367 | 367 |
} |
368 | 368 |
} |
369 | 369 |
|
370 |
-#endif /* OPENSSL_VERSION_NUMBER */ |
|
371 |
- |
|
372 | 370 |
/* verify X509 name or username against --verify-x509-[user]name */ |
373 | 371 |
if (opt->verify_x509_type != VERIFY_X509_NONE) |
374 | 372 |
{ |
... | ... |
@@ -189,8 +189,6 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es, |
189 | 189 |
*/ |
190 | 190 |
result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int usage); |
191 | 191 |
|
192 |
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL |
|
193 |
- |
|
194 | 192 |
/* |
195 | 193 |
* Verify X.509 key usage extension field. |
196 | 194 |
* |
... | ... |
@@ -219,8 +217,6 @@ result_t x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned * const |
219 | 219 |
*/ |
220 | 220 |
result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char * const expected_oid); |
221 | 221 |
|
222 |
-#endif |
|
223 |
- |
|
224 | 222 |
/* |
225 | 223 |
* Store the given certificate in pem format in a temporary file in tmp_dir |
226 | 224 |
* |
... | ... |
@@ -459,8 +459,6 @@ x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage) |
459 | 459 |
return FAILURE; |
460 | 460 |
} |
461 | 461 |
|
462 |
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L |
|
463 |
- |
|
464 | 462 |
result_t |
465 | 463 |
x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, |
466 | 464 |
int expected_len) |
... | ... |
@@ -566,8 +564,6 @@ x509_write_pem(FILE *peercert_file, X509 *peercert) |
566 | 566 |
return SUCCESS; |
567 | 567 |
} |
568 | 568 |
|
569 |
-#endif /* OPENSSL_VERSION_NUMBER */ |
|
570 |
- |
|
571 | 569 |
/* |
572 | 570 |
* check peer cert against CRL |
573 | 571 |
*/ |