luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssl: drop support for old OpenSSL/LibreSSL versions

Browse Source 
Require OpenSSL 1.0.2a (2015-03-19) or LibreSSL 2.9.1 (2019-04-13).

Closes #16104
This commit is contained in:
Viktor Szakats 2025-01-27 20:35:23 +01:00
parent e0fd5790d9
commit 2cc90a679a
No known key found for this signature in database
GPG Key ID: B5ABD165E2AEF201
5 changed files with 68 additions and 278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/INTERNALS.md
View File

@ -24,7 +24,8 @@ versions of libs and build tools.
We aim to support these or later versions.
- OpenSSL 0.9.7
- OpenSSL 1.0.2a
- LibreSSL 2.9.1
- GnuTLS 3.1.10
- zlib 1.2.0.4
- libssh2 1.2.8

11
lib/curl_ntlm_core.c
View File

@ -71,16 +71,7 @@
# include <openssl/md5.h>
# include <openssl/ssl.h>
# include <openssl/rand.h>
# if (defined(OPENSSL_VERSION_NUMBER) && \
(OPENSSL_VERSION_NUMBER < 0x00907001L)) && !defined(USE_WOLFSSL)
# define DES_key_schedule des_key_schedule
# define DES_cblock des_cblock
# define DES_set_odd_parity des_set_odd_parity
# define DES_set_key des_set_key
# define DES_ecb_encrypt des_ecb_encrypt
# define DESKEY(x) x
# define DESKEYARG(x) x
# elif defined(OPENSSL_IS_AWSLC)
# if defined(OPENSSL_IS_AWSLC)
# define DES_set_key_unchecked (void)DES_set_key
# define DESKEYARG(x) *x
# define DESKEY(x) &x

40
lib/setup-vms.h
View File

@ -394,51 +394,11 @@ static struct passwd *vms_getpwuid(uid_t uid)
/* that way a newer port will also work if some one has one */
#ifdef __VAX
# if (OPENSSL_VERSION_NUMBER < 0x00907001L)
# define des_set_odd_parity DES_SET_ODD_PARITY
# define des_set_key DES_SET_KEY
# define des_ecb_encrypt DES_ECB_ENCRYPT
# endif
# include <openssl/evp.h>
# ifndef OpenSSL_add_all_algorithms
# define OpenSSL_add_all_algorithms OPENSSL_ADD_ALL_ALGORITHMS
void OPENSSL_ADD_ALL_ALGORITHMS(void);
# endif
/* Curl defines these to lower case and VAX needs them in upper case */
/* So we need static routines */
# if (OPENSSL_VERSION_NUMBER < 0x00907001L)
# undef des_set_odd_parity
# undef DES_set_odd_parity
# undef des_set_key
# undef DES_set_key
# undef des_ecb_encrypt
# undef DES_ecb_encrypt
static void des_set_odd_parity(des_cblock *key) {
DES_SET_ODD_PARITY(key);
}
static int des_set_key(const_des_cblock *key,
des_key_schedule schedule) {
return DES_SET_KEY(key, schedule);
}
static void des_ecb_encrypt(const_des_cblock *input,
des_cblock *output,
des_key_schedule ks, int enc) {
DES_ECB_ENCRYPT(input, output, ks, enc);
}
#endif
/* Need this to stop a macro redefinition error */
#if OPENSSL_VERSION_NUMBER < 0x00907000L
# ifdef X509_STORE_set_flags
# undef X509_STORE_set_flags
# define X509_STORE_set_flags(x,y) Curl_nop_stmt
# endif
#endif
#endif
#endif /* HEADER_CURL_SETUP_VMS_H */

38
lib/sha256.c
View File

@ -32,41 +32,16 @@
#include "curl_sha256.h"
#include "curl_hmac.h"
#ifdef USE_WOLFSSL
#include <wolfssl/options.h>
#endif
#if defined(USE_OPENSSL)
#include <openssl/opensslv.h>
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
#define USE_OPENSSL_SHA256
#endif
#endif /* USE_OPENSSL */
#ifdef USE_MBEDTLS
#ifdef USE_OPENSSL
#include <openssl/evp.h>
#elif defined(USE_GNUTLS)
#include <nettle/sha.h>
#elif defined(USE_MBEDTLS)
#include <mbedtls/version.h>
#if(MBEDTLS_VERSION_NUMBER >= 0x02070000) && \
(MBEDTLS_VERSION_NUMBER < 0x03000000)
#define HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
#endif
#endif /* USE_MBEDTLS */
#if defined(USE_OPENSSL_SHA256)
/* When OpenSSL or wolfSSL is available we use their SHA256-functions. */
#if defined(USE_OPENSSL)
#include <openssl/evp.h>
#elif defined(USE_WOLFSSL)
#include <wolfssl/openssl/evp.h>
#endif
#elif defined(USE_GNUTLS)
#include <nettle/sha.h>
#elif defined(USE_MBEDTLS)
#include <mbedtls/sha256.h>
#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
(__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \
@ -95,7 +70,7 @@
* file even if multiple backends are enabled at the same time.
*/
#if defined(USE_OPENSSL_SHA256)
#ifdef USE_OPENSSL
struct ossl_sha256_ctx {
EVP_MD_CTX *openssl_ctx;
@ -533,5 +508,4 @@ const struct HMAC_params Curl_HMAC_SHA256 = {
32 /* Result size. */
};
#endif /* AWS, DIGEST, or libssh2 */

254
lib/vtls/openssl.c
View File

@ -34,7 +34,7 @@
#include <limits.h>
/* Wincrypt must be included before anything that could include OpenSSL. */
#if defined(USE_WIN32_CRYPTO)
#ifdef USE_WIN32_CRYPTO
#include <wincrypt.h>
/* Undefine wincrypt conflicting symbols for BoringSSL. */
#undef X509_NAME
@ -83,7 +83,7 @@
#include <openssl/tls1.h>
#include <openssl/evp.h>
#if defined(HAVE_SSL_SET1_ECH_CONFIG_LIST)
#ifdef HAVE_SSL_SET1_ECH_CONFIG_LIST
#define USE_ECH_OPENSSL
#endif
@ -93,17 +93,25 @@
# endif
#endif /* USE_ECH_OPENSSL */
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x0090700fL) && /* 0.9.7 or later */ \
!defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_UI_CONSOLE)
#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_UI_CONSOLE)
#define USE_OPENSSL_ENGINE
#include <openssl/engine.h>
#endif
#if OPENSSL_VERSION_NUMBER >= 0x03000000fL && !defined(OPENSSL_NO_UI_CONSOLE)
#ifdef LIBRESSL_VERSION_NUMBER
# /* As of LibreSSL 2.0.0-4.0.0: OPENSSL_VERSION_NUMBER == 0x20000000L */
# if LIBRESSL_VERSION_NUMBER < 0x2090100fL /* 2019-04-13 */
# error "LibreSSL 2.9.1 or later required"
# endif
#elif OPENSSL_VERSION_NUMBER < 0x1000201fL /* 2015-03-19 */
# error "OpenSSL 1.0.2a or later required"
#endif
#if OPENSSL_VERSION_NUMBER >= 0x3000000fL && !defined(OPENSSL_NO_UI_CONSOLE)
#include <openssl/provider.h>
#include <openssl/store.h>
/* this is used in the following conditions to make them easier to read */
@ -131,20 +139,7 @@
#include <openssl/ui.h>
#endif
#if OPENSSL_VERSION_NUMBER >= 0x00909000L
#define SSL_METHOD_QUAL const
#else
#define SSL_METHOD_QUAL
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
#define HAVE_ERR_REMOVE_THREAD_STATE 1
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
!(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x20700000L)
#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* OpenSSL 1.1.0+ and LibreSSL */
#define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */
#define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */
#define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */
@ -157,16 +152,8 @@
#define X509_get0_notBefore(x) X509_get_notBefore(x)
#define X509_get0_notAfter(x) X509_get_notAfter(x)
#define CONST_EXTS /* nope */
#ifndef LIBRESSL_VERSION_NUMBER
#define OpenSSL_version_num() SSLeay()
#endif
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \
!(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x20700000L)
#define HAVE_X509_GET0_SIGNATURE 1
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10002003L && \
OPENSSL_VERSION_NUMBER <= 0x10002FFFL && \
@ -174,11 +161,6 @@
#define HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 1
#endif
#if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
/* not present in older OpenSSL */
#define OPENSSL_load_builtin_modules(x)
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
#define HAVE_EVP_PKEY_GET_PARAMS 1
#endif
@ -203,35 +185,21 @@
LIBRESSL_VERSION_NUMBER >= 0x3040100fL)) && \
!defined(OPENSSL_IS_BORINGSSL)
#define HAVE_SSL_CTX_SET_CIPHERSUITES
#if !defined(OPENSSL_IS_AWSLC)
#ifndef OPENSSL_IS_AWSLC
#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
#endif
#endif
/*
* Whether SSL_CTX_set1_curves_list is available.
* OpenSSL: supported since 1.0.2, see
* https://docs.openssl.org/master/man3/SSL_CTX_set1_curves/
* BoringSSL: supported since 5fd1807d95f7 (committed 2016-09-30)
* LibreSSL: since 2.5.3 (April 12, 2017)
*/
#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) || \
defined(OPENSSL_IS_BORINGSSL)
#define HAVE_SSL_CTX_SET_EC_CURVES
#endif
#if defined(LIBRESSL_VERSION_NUMBER)
#ifdef LIBRESSL_VERSION_NUMBER
#define OSSL_PACKAGE "LibreSSL"
#elif defined(OPENSSL_IS_BORINGSSL)
#define OSSL_PACKAGE "BoringSSL"
#elif defined(OPENSSL_IS_AWSLC)
#define OSSL_PACKAGE "AWS-LC"
#elif (defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || defined(USE_MSH3)
#define OSSL_PACKAGE "quictls"
#else
# if (defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || defined(USE_MSH3)
# define OSSL_PACKAGE "quictls"
# else
# define OSSL_PACKAGE "OpenSSL"
#endif
#define OSSL_PACKAGE "OpenSSL"
#endif
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
@ -265,8 +233,6 @@ typedef int numcert_t;
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
!(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x2070100fL) && \
!defined(OPENSSL_IS_BORINGSSL) && \
!defined(OPENSSL_IS_AWSLC)
#define HAVE_OPENSSL_VERSION
@ -287,13 +253,6 @@ typedef unsigned long sslerr_t;
#define HAVE_SSL_X509_STORE_SHARE
#endif
/* What API version do we use? */
#if defined(LIBRESSL_VERSION_NUMBER)
#define USE_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
#else /* !LIBRESSL_VERSION_NUMBER */
#define USE_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
#endif /* !LIBRESSL_VERSION_NUMBER */
static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl);
static CURLcode push_certinfo(struct Curl_easy *data,
@ -449,7 +408,7 @@ static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl)
if(result)
break;
#if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS)
#ifdef HAVE_X509_GET0_EXTENSIONS
{
const X509_ALGOR *sigalg = NULL;
X509_PUBKEY *xpubkey = NULL;
@ -666,21 +625,19 @@ static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl)
#ifdef USE_OPENSSL
#if USE_PRE_1_1_API
#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define BIO_set_init(x,v) ((x)->init=(v))
#define BIO_get_data(x) ((x)->ptr)
#define BIO_set_data(x,v) ((x)->ptr=(v))
#endif
#define BIO_get_shutdown(x) ((x)->shutdown)
#define BIO_set_shutdown(x,v) ((x)->shutdown=(v))
#endif /* USE_PRE_1_1_API */
#endif /* HAVE_PRE_1_1_API */
static int ossl_bio_cf_create(BIO *bio)
{
BIO_set_shutdown(bio, 1);
BIO_set_init(bio, 1);
#if USE_PRE_1_1_API
#if OPENSSL_VERSION_NUMBER < 0x10100000L
bio->num = -1;
#endif
BIO_set_data(bio, NULL);
@ -797,7 +754,7 @@ static int ossl_bio_cf_in_read(BIO *bio, char *buf, int blen)
return (int)nread;
}
#if USE_PRE_1_1_API
#if OPENSSL_VERSION_NUMBER < 0x10100000L
static BIO_METHOD ossl_bio_cf_meth_1_0 = {
BIO_TYPE_MEM,
@ -866,9 +823,7 @@ ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done)
if(!session || *keylog_done)
return;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
!(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x20700000L)
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
/* ssl->s3 is not checked in OpenSSL 1.1.0-pre6, but let's assume that
* we have a valid SSL context if we have a non-NULL session. */
SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE);
@ -915,15 +870,15 @@ static const char *SSL_ERROR_to_str(int err)
return "SSL_ERROR_WANT_CONNECT";
case SSL_ERROR_WANT_ACCEPT:
return "SSL_ERROR_WANT_ACCEPT";
#if defined(SSL_ERROR_WANT_ASYNC)
#ifdef SSL_ERROR_WANT_ASYNC
case SSL_ERROR_WANT_ASYNC:
return "SSL_ERROR_WANT_ASYNC";
#endif
#if defined(SSL_ERROR_WANT_ASYNC_JOB)
#ifdef SSL_ERROR_WANT_ASYNC_JOB
case SSL_ERROR_WANT_ASYNC_JOB:
return "SSL_ERROR_WANT_ASYNC_JOB";
#endif
#if defined(SSL_ERROR_WANT_EARLY)
#ifdef SSL_ERROR_WANT_EARLY
case SSL_ERROR_WANT_EARLY:
return "SSL_ERROR_WANT_EARLY";
#endif
@ -1207,10 +1162,6 @@ static int
use_certificate_chain_blob(SSL_CTX *ctx, const struct curl_blob *blob,
const char *key_passwd)
{
/* SSL_CTX_add1_chain_cert introduced in OpenSSL 1.0.2 */
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* OpenSSL 1.0.2 or later */ \
!(defined(LIBRESSL_VERSION_NUMBER) && \
(LIBRESSL_VERSION_NUMBER < 0x2090100fL)) /* LibreSSL 2.9.1 or later */
int ret = 0;
X509 *x = NULL;
void *passwd_callback_userdata = (void *)key_passwd;
@ -1262,12 +1213,6 @@ end:
X509_free(x);
BIO_free(in);
return ret;
#else
(void)ctx; /* unused */
(void)blob; /* unused */
(void)key_passwd; /* unused */
return 0;
#endif
}
static
@ -1844,8 +1789,7 @@ static CURLcode x509_name_oneline(X509_NAME *a, struct dynbuf *d)
*/
static int ossl_init(void)
{
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
(!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
const uint64_t flags =
#ifdef OPENSSL_INIT_ENGINE_ALL_BUILTIN
/* not present in BoringSSL */
@ -1895,8 +1839,7 @@ static int ossl_init(void)
/* Global cleanup */
static void ossl_cleanup(void)
{
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
(!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
/* OpenSSL 1.1 deprecates all these cleanup functions and
turns them into no-ops in OpenSSL 1.0 compatibility mode */
#else
@ -1912,11 +1855,7 @@ static void ossl_cleanup(void)
ERR_free_strings();
/* Free thread local error state, destroying hash upon zero refcount */
#ifdef HAVE_ERR_REMOVE_THREAD_STATE
ERR_remove_thread_state(NULL);
#else
ERR_remove_state(0);
#endif
/* Free all memory allocated by all configuration modules */
CONF_modules_free();
@ -1934,18 +1873,7 @@ static void ossl_cleanup(void)
static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine)
{
#ifdef USE_OPENSSL_ENGINE
ENGINE *e;
#if OPENSSL_VERSION_NUMBER >= 0x00909000L
e = ENGINE_by_id(engine);
#else
/* avoid memory leak */
for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
const char *e_id = ENGINE_get_id(e);
if(!strcmp(engine, e_id))
break;
}
#endif
ENGINE *e = ENGINE_by_id(engine);
if(!e) {
failf(data, "SSL Engine '%s' not found", engine);
@ -2204,8 +2132,7 @@ static void ossl_close_all(struct Curl_easy *data)
#else
(void)data;
#endif
#if !defined(HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED) && \
defined(HAVE_ERR_REMOVE_THREAD_STATE)
#ifndef HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED
/* OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
so we need to clean it here in case the thread will be killed. All OpenSSL
code should extract the error in association with the error so clearing
@ -2463,14 +2390,13 @@ static CURLcode ossl_verifyhost(struct Curl_easy *data,
return result;
}
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_NO_OCSP)
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
static CURLcode verifystatus(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ossl_ctx *octx)
{
int i, ocsp_status;
#if defined(OPENSSL_IS_AWSLC)
#ifdef OPENSSL_IS_AWSLC
const uint8_t *status;
#else
unsigned char *status;
@ -2529,34 +2455,6 @@ static CURLcode verifystatus(struct Curl_cfilter *cf,
}
st = SSL_CTX_get_cert_store(octx->ssl_ctx);
#if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \
(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER <= 0x2040200fL))
/* The authorized responder cert in the OCSP response MUST be signed by the
peer cert's issuer (see RFC6960 section 4.2.2.2). If that is a root cert,
no problem, but if it is an intermediate cert OpenSSL has a bug where it
expects this issuer to be present in the chain embedded in the OCSP
response. So we add it if necessary. */
/* First make sure the peer cert chain includes both a peer and an issuer,
and the OCSP response contains a responder cert. */
if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
/* Find issuer of responder cert and add it to the OCSP response chain */
for(i = 0; i < sk_X509_num(ch); i++) {
X509 *issuer = sk_X509_value(ch, i);
if(X509_check_issued(issuer, responder) == X509_V_OK) {
if(!OCSP_basic_add1_cert(br, issuer)) {
failf(data, "Could not add issuer cert to OCSP response");
result = CURLE_SSL_INVALIDCERTSTATUS;
goto end;
}
}
}
}
#endif
if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
failf(data, "OCSP response verification failed");
result = CURLE_SSL_INVALIDCERTSTATUS;
@ -2856,9 +2754,8 @@ static void ossl_trace(int direction, int ssl_ver, int content_type,
#ifdef USE_OPENSSL
/* ====================================================== */
/* Check for OpenSSL 1.0.2 which has ALPN support. */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L \
&& !defined(OPENSSL_NO_TLSEXT)
/* Check for ALPN support. */
#ifndef OPENSSL_NO_TLSEXT
# define HAS_ALPN_OPENSSL
#endif
@ -2991,20 +2888,10 @@ ossl_set_ssl_version_min_max_legacy(ctx_option_t *ctx_options,
#endif
FALLTHROUGH();
case CURL_SSLVERSION_TLSv1_2:
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
*ctx_options |= SSL_OP_NO_TLSv1_1;
#else
failf(data, OSSL_PACKAGE " was built without TLS 1.2 support");
return CURLE_NOT_BUILT_IN;
#endif
FALLTHROUGH();
case CURL_SSLVERSION_TLSv1_1:
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
*ctx_options |= SSL_OP_NO_TLSv1;
#else
failf(data, OSSL_PACKAGE " was built without TLS 1.1 support");
return CURLE_NOT_BUILT_IN;
#endif
FALLTHROUGH();
case CURL_SSLVERSION_TLSv1_0:
case CURL_SSLVERSION_TLSv1:
@ -3013,14 +2900,10 @@ ossl_set_ssl_version_min_max_legacy(ctx_option_t *ctx_options,
switch(ssl_version_max) {
case CURL_SSLVERSION_MAX_TLSv1_0:
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
*ctx_options |= SSL_OP_NO_TLSv1_1;
#endif
FALLTHROUGH();
case CURL_SSLVERSION_MAX_TLSv1_1:
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
*ctx_options |= SSL_OP_NO_TLSv1_2;
#endif
FALLTHROUGH();
case CURL_SSLVERSION_MAX_TLSv1_2:
#ifdef TLS1_3_VERSION
@ -3165,7 +3048,7 @@ static CURLcode load_cacert_from_memory(X509_STORE *store,
return (count > 0) ? CURLE_OK : CURLE_SSL_CACERT_BADFILE;
}
#if defined(USE_WIN32_CRYPTO)
#ifdef USE_WIN32_CRYPTO
static CURLcode import_windows_cert_store(struct Curl_easy *data,
const char *name,
X509_STORE *store,
@ -3333,7 +3216,7 @@ static CURLcode ossl_populate_x509_store(struct Curl_cfilter *cf,
return CURLE_OUT_OF_MEMORY;
if(verifypeer) {
#if defined(USE_WIN32_CRYPTO)
#ifdef USE_WIN32_CRYPTO
/* Import certificates from the Windows root certificate store if
requested.
https://stackoverflow.com/questions/9507184/
@ -3451,7 +3334,7 @@ static CURLcode ossl_populate_x509_store(struct Curl_cfilter *cf,
https://web.archive.org/web/20190422050538/
rt.openssl.org/Ticket/Display.html?id=3621
*/
#if defined(X509_V_FLAG_TRUSTED_FIRST)
#ifdef X509_V_FLAG_TRUSTED_FIRST
X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
#endif
#ifdef X509_V_FLAG_PARTIAL_CHAIN
@ -3472,7 +3355,7 @@ static CURLcode ossl_populate_x509_store(struct Curl_cfilter *cf,
return result;
}
#if defined(HAVE_SSL_X509_STORE_SHARE)
#ifdef HAVE_SSL_X509_STORE_SHARE
/* key to use at `multi->proto_hash` */
#define MPROTO_OSSL_X509_KEY "tls:ossl:x509:share"
@ -3652,7 +3535,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
{
CURLcode result = CURLE_OK;
const char *ciphers;
SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
const SSL_METHOD *req_method = NULL;
ctx_option_t ctx_options = 0;
struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
@ -3891,7 +3774,6 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
SSL_CTX_set_post_handshake_auth(octx->ssl_ctx, 1);
#endif
#ifdef HAVE_SSL_CTX_SET_EC_CURVES
{
const char *curves = conn_config->curves;
if(curves) {
@ -3901,7 +3783,6 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
}
}
}
#endif
#ifdef USE_OPENSSL_SRP
if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) {
@ -3985,8 +3866,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
SSL_set_app_data(octx->ssl, ssl_user_data);
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_NO_OCSP)
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
if(conn_config->verifystatus)
SSL_set_tlsext_status_type(octx->ssl, TLSEXT_STATUSTYPE_ocsp);
#endif
@ -4388,7 +4268,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
else
failf(data, "%s", "SSL certificate verification failed");
}
#if defined(SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)
#ifdef SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED
/* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */
else if((lib == ERR_LIB_SSL) &&
@ -4857,8 +4737,7 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf,
}
infof_certstack(data, octx->ssl);
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_NO_OCSP)
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
if(conn_config->verifystatus && !octx->reused_session) {
/* do not do this after Session ID reuse */
result = verifystatus(cf, data, octx);
@ -5254,7 +5133,6 @@ static CURLcode ossl_get_channel_binding(struct Curl_easy *data, int sockindex,
size_t Curl_ossl_version(char *buffer, size_t size)
{
#ifdef LIBRESSL_VERSION_NUMBER
#ifdef HAVE_OPENSSL_VERSION
char *p;
size_t count;
const char *ver = OpenSSL_version(OPENSSL_VERSION);
@ -5268,13 +5146,6 @@ size_t Curl_ossl_version(char *buffer, size_t size)
*p = '_';
}
return count;
#else
return msnprintf(buffer, size, "%s/%lx.%lx.%lx",
OSSL_PACKAGE,
(LIBRESSL_VERSION_NUMBER >> 28) & 0xf,
(LIBRESSL_VERSION_NUMBER >> 20) & 0xff,
(LIBRESSL_VERSION_NUMBER >> 12) & 0xff);
#endif
#elif defined(OPENSSL_IS_BORINGSSL)
#ifdef CURL_BORINGSSL_VERSION
return msnprintf(buffer, size, "%s/%s",
@ -5298,25 +5169,19 @@ size_t Curl_ossl_version(char *buffer, size_t size)
sub[2]='\0';
sub[1]='\0';
ssleay_value = OpenSSL_version_num();
if(ssleay_value < 0x906000) {
ssleay_value = SSLEAY_VERSION_NUMBER;
sub[0]='\0';
}
else {
if(ssleay_value&0xff0) {
int minor_ver = (ssleay_value >> 4) & 0xff;
if(minor_ver > 26) {
/* handle extended version introduced for 0.9.8za */
sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
sub[0] = 'z';
}
else {
sub[0] = (char) (minor_ver + 'a' - 1);
}
if(ssleay_value&0xff0) {
int minor_ver = (ssleay_value >> 4) & 0xff;
if(minor_ver > 26) {
/* handle extended version introduced for 0.9.8za */
sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
sub[0] = 'z';
}
else {
sub[0] = (char) (minor_ver + 'a' - 1);
}
else
sub[0]='\0';
}
else
sub[0]='\0';
return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s"
#ifdef OPENSSL_FIPS
@ -5349,7 +5214,7 @@ static CURLcode ossl_random(struct Curl_easy *data,
return rc == 1 ? CURLE_OK : CURLE_FAILED_INIT;
}
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
#ifndef OPENSSL_NO_SHA256
static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */
size_t tmplen,
unsigned char *sha256sum /* output */,
@ -5375,8 +5240,7 @@ static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */
static bool ossl_cert_status_request(void)
{
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_NO_OCSP)
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
return TRUE;
#else
return FALSE;
@ -5429,7 +5293,7 @@ const struct Curl_ssl Curl_ssl_openssl = {
ossl_set_engine_default, /* set_engine_default */
ossl_engines_list, /* engines_list */
NULL, /* false_start */
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
#ifndef OPENSSL_NO_SHA256
ossl_sha256sum, /* sha256sum */
#else
NULL, /* sha256sum */