From b0b4a2f1eb3bef0141d817cbf3b575a5dd28f241 Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Tue, 20 Jul 2021 22:10:56 +0200 Subject: [PATCH] Require OpenSSL 1.1.0 or later. This gets rid of some backwards compatibility code, and avoids calling deprecated OpenSSL functions. Fixes #244 on GitHub. --- .github/workflows/deb/debian/control | 2 +- README | 2 +- m4/openssl.m4 | 14 +------------- src/openssl/crypto.c | 14 +++----------- src/openssl/digest.c | 11 ----------- src/openssl/rsa.c | 12 ------------ src/openssl/rsagen.c | 10 ---------- 7 files changed, 6 insertions(+), 59 deletions(-) diff --git a/.github/workflows/deb/debian/control b/.github/workflows/deb/debian/control index 38b23dd6..f7f61d84 100644 --- a/.github/workflows/deb/debian/control +++ b/.github/workflows/deb/debian/control @@ -3,7 +3,7 @@ Section: net Priority: optional Maintainer: none Standards-Version: 4.2.1 -Build-Depends: libssl-dev (>>1.0.0), debhelper (>= 11), texinfo, zlib1g-dev, liblzo2-dev, libncurses5-dev, libreadline-dev, libminiupnpc-dev +Build-Depends: libssl-dev (>>1.1.0), debhelper (>= 11), texinfo, zlib1g-dev, liblzo2-dev, libncurses5-dev, libreadline-dev, libminiupnpc-dev Homepage: https://www.tinc-vpn.org/ Vcs-Browser: https://github.com/gsliepen/tinc Vcs-Git: https://github.com/gsliepen/tinc.git diff --git a/README b/README index f21c2457..649e76e3 100644 --- a/README +++ b/README @@ -60,7 +60,7 @@ Requirements In order to compile tinc, you will need a GNU C compiler environment. Please ensure you have the latest stable versions of all the required libraries: -- LibreSSL (http://www.libressl.org/) or OpenSSL (https://openssl.org/) version 1.0.0 or later. +- LibreSSL (http://www.libressl.org/) or OpenSSL (https://openssl.org/) version 1.1.0 or later. The following libraries are used by default, but can be disabled if necessary: diff --git a/m4/openssl.m4 b/m4/openssl.m4 index 01768ce4..99023c24 100644 --- a/m4/openssl.m4 +++ b/m4/openssl.m4 @@ -40,22 +40,10 @@ AC_DEFUN([tinc_OPENSSL], [AC_MSG_ERROR([LibreSSL/OpenSSL header files not found.]); break] ) - AC_CHECK_LIB(crypto, EVP_EncryptInit_ex, + AC_CHECK_LIB(crypto, OPENSSL_init_crypto, [LIBS="-lcrypto $LIBS"], [AC_MSG_ERROR([LibreSSL/OpenSSL libraries not found.])] ) - AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], , - [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break], - ) - - AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], , - [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break], - [#include ] - ) - - AC_CHECK_FUNCS([BN_GENCB_new ERR_remove_state RSA_set0_key], , , [#include ]) - AC_CHECK_FUNCS([HMAC_CTX_new], , , [#include ]) - AC_DEFINE(HAVE_OPENSSL, 1, [enable OpenSSL support]) ]) diff --git a/src/openssl/crypto.c b/src/openssl/crypto.c index 5c757360..8fc7e77b 100644 --- a/src/openssl/crypto.c +++ b/src/openssl/crypto.c @@ -94,12 +94,8 @@ void randomize(void *out, size_t outlen) { void crypto_init(void) { random_init(); - ENGINE_load_builtin_engines(); - ENGINE_register_all_complete(); -#if OPENSSL_API_COMPAT < 0x10100000L - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); -#endif + uint64_t opts = OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_ENGINE_ALL_BUILTIN; + OPENSSL_init_crypto(opts, NULL); if(!RAND_status()) { fprintf(stderr, "Not enough entropy for the PRNG!\n"); @@ -108,10 +104,6 @@ void crypto_init(void) { } void crypto_exit(void) { -#if OPENSSL_API_COMPAT < 0x10100000L - EVP_cleanup(); - ERR_free_strings(); - ENGINE_cleanup(); -#endif + OPENSSL_cleanup(); random_exit(); } diff --git a/src/openssl/digest.c b/src/openssl/digest.c index 9569f3cc..d51dcaa9 100644 --- a/src/openssl/digest.c +++ b/src/openssl/digest.c @@ -66,13 +66,8 @@ digest_t *digest_open_by_nid(int nid, int maclength) { } bool digest_set_key(digest_t *digest, const void *key, size_t len) { -#ifdef HAVE_HMAC_CTX_NEW digest->hmac_ctx = HMAC_CTX_new(); HMAC_Init_ex(digest->hmac_ctx, key, len, digest->digest, NULL); -#else - digest->hmac_ctx = xzalloc(sizeof(*digest->hmac_ctx)); - HMAC_Init(digest->hmac_ctx, key, len, digest->digest); -#endif if(!digest->hmac_ctx) { abort(); @@ -90,16 +85,10 @@ void digest_close(digest_t *digest) { EVP_MD_CTX_destroy(digest->md_ctx); } -#ifdef HAVE_HMAC_CTX_NEW - if(digest->hmac_ctx) { HMAC_CTX_free(digest->hmac_ctx); } -#else - free(digest->hmac_ctx); -#endif - free(digest); } diff --git a/src/openssl/rsa.c b/src/openssl/rsa.c index f8ec6d51..104b9719 100644 --- a/src/openssl/rsa.c +++ b/src/openssl/rsa.c @@ -31,18 +31,6 @@ typedef RSA rsa_t; // Set RSA keys -#ifndef HAVE_RSA_SET0_KEY -int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { - BN_free(r->n); - r->n = n; - BN_free(r->e); - r->e = e; - BN_free(r->d); - r->d = d; - return 1; -} -#endif - rsa_t *rsa_set_hex_public_key(char *n, char *e) { BIGNUM *bn_n = NULL; BIGNUM *bn_e = NULL; diff --git a/src/openssl/rsagen.c b/src/openssl/rsagen.c index 79127f68..5c42ac5d 100644 --- a/src/openssl/rsagen.c +++ b/src/openssl/rsagen.c @@ -72,16 +72,6 @@ static int indicator(int a, int b, BN_GENCB *cb) { // Generate RSA key -#ifndef HAVE_BN_GENCB_NEW -BN_GENCB *BN_GENCB_new(void) { - return xzalloc(sizeof(BN_GENCB)); -} - -void BN_GENCB_free(BN_GENCB *cb) { - free(cb); -} -#endif - rsa_t *rsa_generate(size_t bits, unsigned long exponent) { BIGNUM *bn_e = BN_new(); rsa_t *rsa = RSA_new(); -- 2.20.1