- TLS 1.3 is not ready yet in LibreSSL. Also there is a theoretical
possibility of OpenSSL >=1.1.1 built without TLS 1.3 support.
- EC_KEY_METHOD API and SSL_get1_supported_ciphers are added into LibreSSL
master (not yet released in 2.9.0).
- Some methods that are available since LibreSSL 2.7.0 were thrown away
in ssl_openssl.c regardless of LibreSSL version. Use them with newer
LibreSSL.
Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20190225183531.27399-1-stefan.strogin@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18239.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -465,7 +465,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) |
465 | 465 |
return; |
466 | 466 |
} |
467 | 467 |
|
468 |
-#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) |
|
468 |
+#if !defined(TLS1_3_VERSION) |
|
469 | 469 |
crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " |
470 | 470 |
"Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", |
471 | 471 |
ciphers); |
... | ... |
@@ -526,7 +526,8 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) |
526 | 526 |
|
527 | 527 |
ASSERT(ctx); |
528 | 528 |
|
529 |
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) |
|
529 |
+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) \ |
|
530 |
+ || LIBRESSL_VERSION_NUMBER >= 0x2070000fL |
|
530 | 531 |
/* OpenSSL 1.0.2 and up */ |
531 | 532 |
cert = SSL_CTX_get0_certificate(ctx->ctx); |
532 | 533 |
#else |
... | ... |
@@ -561,7 +562,8 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) |
561 | 561 |
} |
562 | 562 |
|
563 | 563 |
cleanup: |
564 |
-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) |
|
564 |
+#if OPENSSL_VERSION_NUMBER < 0x10002000L \ |
|
565 |
+ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) |
|
565 | 566 |
SSL_free(ssl); |
566 | 567 |
#endif |
567 | 568 |
return; |
... | ... |
@@ -1209,7 +1211,9 @@ err: |
1209 | 1209 |
return 0; |
1210 | 1210 |
} |
1211 | 1211 |
|
1212 |
-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) |
|
1212 |
+#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \ |
|
1213 |
+ || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \ |
|
1214 |
+ && !defined(OPENSSL_NO_EC) |
|
1213 | 1215 |
|
1214 | 1216 |
/* called when EC_KEY is destroyed */ |
1215 | 1217 |
static void |
... | ... |
@@ -1331,7 +1335,7 @@ err: |
1331 | 1331 |
} |
1332 | 1332 |
return 0; |
1333 | 1333 |
} |
1334 |
-#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev */ |
|
1334 |
+#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ |
|
1335 | 1335 |
|
1336 | 1336 |
int |
1337 | 1337 |
tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) |
... | ... |
@@ -1340,7 +1344,8 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) |
1340 | 1340 |
|
1341 | 1341 |
ASSERT(NULL != ctx); |
1342 | 1342 |
|
1343 |
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) |
|
1343 |
+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) \ |
|
1344 |
+ || LIBRESSL_VERSION_NUMBER >= 0x2070000fL |
|
1344 | 1345 |
/* OpenSSL 1.0.2 and up */ |
1345 | 1346 |
X509 *cert = SSL_CTX_get0_certificate(ctx->ctx); |
1346 | 1347 |
#else |
... | ... |
@@ -1362,7 +1367,9 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) |
1362 | 1362 |
goto cleanup; |
1363 | 1363 |
} |
1364 | 1364 |
} |
1365 |
-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) |
|
1365 |
+#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \ |
|
1366 |
+ || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \ |
|
1367 |
+ && !defined(OPENSSL_NO_EC) |
|
1366 | 1368 |
else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) |
1367 | 1369 |
{ |
1368 | 1370 |
if (!tls_ctx_use_external_ec_key(ctx, pkey)) |
... | ... |
@@ -1375,17 +1382,18 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) |
1375 | 1375 |
crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate"); |
1376 | 1376 |
goto cleanup; |
1377 | 1377 |
} |
1378 |
-#else /* if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) */ |
|
1378 |
+#else /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ |
|
1379 | 1379 |
else |
1380 | 1380 |
{ |
1381 | 1381 |
crypto_msg(M_WARN, "management-external-key requires an RSA certificate"); |
1382 | 1382 |
goto cleanup; |
1383 | 1383 |
} |
1384 |
-#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev */ |
|
1384 |
+#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ |
|
1385 | 1385 |
|
1386 | 1386 |
ret = 0; |
1387 | 1387 |
cleanup: |
1388 |
-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) |
|
1388 |
+#if OPENSSL_VERSION_NUMBER < 0x10002000L \ |
|
1389 |
+ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) |
|
1389 | 1390 |
if (ssl) |
1390 | 1391 |
{ |
1391 | 1392 |
SSL_free(ssl); |
... | ... |
@@ -1998,7 +2006,7 @@ show_available_tls_ciphers_list(const char *cipher_list, |
1998 | 1998 |
crypto_msg(M_FATAL, "Cannot create SSL_CTX object"); |
1999 | 1999 |
} |
2000 | 2000 |
|
2001 |
-#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) |
|
2001 |
+#if defined(TLS1_3_VERSION) |
|
2002 | 2002 |
if (tls13) |
2003 | 2003 |
{ |
2004 | 2004 |
SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); |
... | ... |
@@ -2019,7 +2027,8 @@ show_available_tls_ciphers_list(const char *cipher_list, |
2019 | 2019 |
crypto_msg(M_FATAL, "Cannot create SSL object"); |
2020 | 2020 |
} |
2021 | 2021 |
|
2022 |
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) |
|
2022 |
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || \ |
|
2023 |
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2090000fL) |
|
2023 | 2024 |
STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); |
2024 | 2025 |
#else |
2025 | 2026 |
STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl); |