OpenVPN/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2025-05-08 21:25:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

Drop support for OpenSSL 1.0.1

Browse Source 
OpenSSL 1.0.1 was supported until 2016-12-31. Rhel6/Centos6 still
use this version but considering that RHEL7 and RHEL8 are already
out, these versions can also stay with OpenVPN 2.4.

All the supported Debian based distributions also come with at
least 1.0.2.

We (accidently) unconditionally compiled some key exporter code on
OpenSSL 1.0.2+ without problems. So always compile the whole
key exporter feature for OpenSSL.

This also allows the tls groups commit to be applied without
adding ifdefs to disable that functionality on OpenSSL 1.0.1

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200717134739.21168-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20441.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Arne Schwabe 2020-07-17 15:47:32 +02:00 committed by Gert Doering
parent df85950a61
commit ec7d0e8e0f
9 changed files with 18 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.travis.yml
View File

@ -35,10 +35,6 @@ jobs:
env: SSLLIB="openssl" RUN_COVERITY="1"
os: linux
compiler: gcc
- name: gcc | openssl-1.0.1u
env: SSLLIB="openssl" OPENSSL_VERSION="1.0.1u"
os: linux
compiler: gcc
- name: gcc | openssl-1.1.1d
env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1d"
os: linux
@ -87,10 +83,6 @@ jobs:
env: SSLLIB="mbedtls"
os: osx
compiler: clang
- name: mingw64 | openssl-1.0.1u
env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32 OPENSSL_VERSION="1.0.1u"
os: linux
compiler: ": Win64 build only"
- name: mingw64 | openssl-1.1.1d
env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32 OPENSSL_VERSION="1.1.1d"
os: linux

4
Changes.rst
View File

@ -45,6 +45,10 @@ User-visible Changes
client-disconnect-script is now called immediately. Previously it
was called, when the VPN session was terminated.
- Support for building with OpenSSL 1.0.1 has been removed. The minimum
supported OpenSSL version is now 1.0.2.
Overview of changes in 2.4
==========================

9
INSTALL
View File

@ -71,12 +71,13 @@ REQUIRES:
(1) TUN and/or TAP driver to allow user-space programs to control
a virtual point-to-point IP or Ethernet device. See
TUN/TAP Driver Configuration section below for more info.
OPTIONAL (but recommended):
(1) OpenSSL library, necessary for encryption, version 1.0.1 or higher
(2) OpenSSL library, necessary for encryption, version 1.0.2 or higher
required, available from http://www.openssl.org/
(2) mbed TLS library, an alternative for encryption, version 2.0 or higher
or
(3) mbed TLS library, an alternative for encryption, version 2.0 or higher
required, available from https://tls.mbed.org/
OPTIONAL:
(3) LZO real-time compression library, required for link compression,
available from http://www.oberhumer.com/opensource/lzo/
OpenBSD users can use ports or packages to install lzo, but remember

14
configure.ac
View File

@ -848,7 +848,7 @@ if test "${with_crypto_library}" = "openssl"; then
# if the user did not explicitly specify flags, try to autodetect
PKG_CHECK_MODULES(
[OPENSSL],
[openssl >= 1.0.1],
[openssl >= 1.0.2],
[have_openssl="yes"],
[] # If this fails, we will do another test next
)
@ -863,7 +863,7 @@ if test "${with_crypto_library}" = "openssl"; then
# If pkgconfig check failed or OPENSSL_CFLAGS/OPENSSL_LIBS env vars
# are used, check the version directly in the OpenSSL include file
if test "${have_openssl}" != "yes"; then
AC_MSG_CHECKING([additionally if OpenSSL is available and version >= 1.0.1])
AC_MSG_CHECKING([additionally if OpenSSL is available and version >= 1.0.2])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
@ -871,7 +871,7 @@ if test "${with_crypto_library}" = "openssl"; then
]],
[[
/* Version encoding: MNNFFPPS - see opensslv.h for details */
#if OPENSSL_VERSION_NUMBER < 0x10001000L
#if OPENSSL_VERSION_NUMBER < 0x10002000L
#error OpenSSL too old
#endif
]]
@ -914,12 +914,9 @@ if test "${with_crypto_library}" = "openssl"; then
[have_crypto_aead_modes="no"]
)
# All supported OpenSSL version (>= 1.0.2)
# have this feature
have_export_keying_material="yes"
AC_CHECK_FUNC(
[SSL_export_keying_material],
,
[have_export_keying_material="no"]
)
AC_CHECK_FUNCS(
[ \
@ -940,7 +937,6 @@ if test "${with_crypto_library}" = "openssl"; then
X509_STORE_get0_objects \
X509_OBJECT_free \
X509_OBJECT_get_type \
EVP_PKEY_id \
EVP_PKEY_get0_RSA \
EVP_PKEY_get0_DSA \
EVP_PKEY_get0_EC_KEY \

7
src/openvpn/crypto.c
View File

@ -428,13 +428,6 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
tag_ptr = BPTR(buf);
ASSERT(buf_advance(buf, tag_size));
dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, &gc));
#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L
/* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */
if (!EVP_CIPHER_CTX_ctrl(ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, tag_ptr))
{
CRYPT_ERROR("setting tag failed");
}
#endif
if (buf->len < 1)
{

14
src/openvpn/openssl_compat.h
View File

@ -271,20 +271,6 @@ EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
}
#endif
#if !defined(HAVE_EVP_PKEY_ID)
/**
* Get the PKEY type
*
* @param pkey Public key object
* @return The key type
*/
static inline int
EVP_PKEY_id(const EVP_PKEY *pkey)
{
return pkey ? pkey->type : EVP_PKEY_NONE;
}
#endif
#if !defined(HAVE_EVP_PKEY_GET0_DSA)
/**
* Get the DSA object of a public key

2
src/openvpn/options.c
View File

@ -8670,7 +8670,7 @@ add_option(struct options *options,
options->keying_material_exporter_label = p[1];
options->keying_material_exporter_length = ekm_length;
}
#endif /* if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 */
#endif /* HAVE_EXPORT_KEYING_MATERIAL */
else if (streq(p[0], "allow-recursive-routing") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);

2
src/openvpn/ssl_mbedtls.c
View File

@ -1108,7 +1108,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
}
}
#if HAVE_EXPORT_KEYING_MATERIAL
#ifdef HAVE_EXPORT_KEYING_MATERIAL
/* Initialize keying material exporter */
if (session->opt->ekm_size)
{

60
src/openvpn/ssl_openssl.c
View File

@ -164,7 +164,6 @@ key_state_export_keying_material(struct key_state_ssl *ssl,
{
if (session->opt->ekm_size > 0)
{
#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
unsigned int size = session->opt->ekm_size;
struct gc_arena gc = gc_new();
unsigned char *ekm = (unsigned char *) gc_malloc(size, true, &gc);
@ -188,7 +187,6 @@ key_state_export_keying_material(struct key_state_ssl *ssl,
setenv_del(session->opt->es, "exported_keying_material");
}
gc_free(&gc);
#endif /* if (OPENSSL_VERSION_NUMBER >= 0x10001000) */
}
}
@ -559,7 +557,7 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
#else /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
if (profile)
{
msg(M_WARN, "WARNING: OpenSSL 1.0.1 does not support --tls-cert-profile"
msg(M_WARN, "WARNING: OpenSSL 1.0.2 does not support --tls-cert-profile"
", ignoring user-set profile: '%s'", profile);
}
#endif /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
@ -573,19 +571,11 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
ASSERT(ctx);
#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) \
|| LIBRESSL_VERSION_NUMBER >= 0x2070000fL
/* OpenSSL 1.0.2 and up */
cert = SSL_CTX_get0_certificate(ctx->ctx);
#else
/* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */
SSL *ssl = SSL_new(ctx->ctx);
cert = SSL_get_certificate(ssl);
#endif
if (cert == NULL)
{
goto cleanup; /* Nothing to check if there is no certificate */
return; /* Nothing to check if there is no certificate */
}
ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
@ -607,13 +597,6 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
{
msg(M_WARN, "WARNING: Your certificate has expired!");
}
cleanup:
#if OPENSSL_VERSION_NUMBER < 0x10002000L \
|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
SSL_free(ssl);
#endif
return;
}
void
@ -680,7 +663,6 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
}
else
{
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER))
/* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
@ -691,29 +673,6 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
* so do nothing */
#endif
return;
#else /* if OPENSSL_VERSION_NUMBER >= 0x10002000L */
/* For older OpenSSL we have to extract the curve from key on our own */
EC_KEY *eckey = NULL;
const EC_GROUP *ecgrp = NULL;
EVP_PKEY *pkey = NULL;
/* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */
SSL *ssl = SSL_new(ctx->ctx);
if (!ssl)
{
crypto_msg(M_FATAL, "SSL_new failed");
}
pkey = SSL_get_privatekey(ssl);
SSL_free(ssl);
msg(D_TLS_DEBUG, "Extracting ECDH curve from private key");
if (pkey != NULL && (eckey = EVP_PKEY_get1_EC_KEY(pkey)) != NULL
&& (ecgrp = EC_KEY_get0_group(eckey)) != NULL)
{
nid = EC_GROUP_get_curve_name(ecgrp);
}
#endif /* if OPENSSL_VERSION_NUMBER >= 0x10002000L */
}
/* Translate NID back to name , just for kicks */
@ -1462,15 +1421,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
ASSERT(NULL != ctx);
#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) \
|| LIBRESSL_VERSION_NUMBER >= 0x2070000fL
/* OpenSSL 1.0.2 and up */
X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);
#else
/* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */
SSL *ssl = SSL_new(ctx->ctx);
X509 *cert = SSL_get_certificate(ssl);
#endif
ASSERT(NULL != cert);
@ -1510,13 +1461,6 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
ret = 0;
cleanup:
#if OPENSSL_VERSION_NUMBER < 0x10002000L \
|| (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
if (ssl)
{
SSL_free(ssl);
}
#endif
if (ret)
{
crypto_msg(M_FATAL, "Cannot enable SSL external private key capability");