luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

openssl: drop support for old OpenSSL/LibreSSL versions

Browse Source 
Require OpenSSL 1.0.2a (2015-03-19) or LibreSSL 2.9.1 (2019-04-13).

Closes #16104
This commit is contained in:
Viktor Szakats 2025-01-27 20:35:23 +01:00
parent e0fd5790d9
commit 2cc90a679a
No known key found for this signature in database
GPG Key ID: B5ABD165E2AEF201
5 changed files with 68 additions and 278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/INTERNALS.md
View File

@ -24,7 +24,8 @@ versions of libs and build tools.
We aim to support these or later versions. We aim to support these or later versions.
- OpenSSL 0.9.7 - OpenSSL 1.0.2a
- LibreSSL 2.9.1
- GnuTLS 3.1.10 - GnuTLS 3.1.10
- zlib 1.2.0.4 - zlib 1.2.0.4
- libssh2 1.2.8 - libssh2 1.2.8

11
lib/curl_ntlm_core.c
View File

@ -71,16 +71,7 @@
# include <openssl/md5.h> # include <openssl/md5.h>
# include <openssl/ssl.h> # include <openssl/ssl.h>
# include <openssl/rand.h> # include <openssl/rand.h>
# if (defined(OPENSSL_VERSION_NUMBER) && \ # if defined(OPENSSL_IS_AWSLC)
(OPENSSL_VERSION_NUMBER < 0x00907001L)) && !defined(USE_WOLFSSL)
# define DES_key_schedule des_key_schedule
# define DES_cblock des_cblock
# define DES_set_odd_parity des_set_odd_parity
# define DES_set_key des_set_key
# define DES_ecb_encrypt des_ecb_encrypt
# define DESKEY(x) x
# define DESKEYARG(x) x
# elif defined(OPENSSL_IS_AWSLC)
# define DES_set_key_unchecked (void)DES_set_key # define DES_set_key_unchecked (void)DES_set_key
# define DESKEYARG(x) *x # define DESKEYARG(x) *x
# define DESKEY(x) &x # define DESKEY(x) &x

40
lib/setup-vms.h
View File

@ -394,51 +394,11 @@ static struct passwd *vms_getpwuid(uid_t uid)
/* that way a newer port will also work if some one has one */ /* that way a newer port will also work if some one has one */
#ifdef __VAX #ifdef __VAX
# if (OPENSSL_VERSION_NUMBER < 0x00907001L)
# define des_set_odd_parity DES_SET_ODD_PARITY
# define des_set_key DES_SET_KEY
# define des_ecb_encrypt DES_ECB_ENCRYPT
# endif
# include <openssl/evp.h> # include <openssl/evp.h>
# ifndef OpenSSL_add_all_algorithms # ifndef OpenSSL_add_all_algorithms
# define OpenSSL_add_all_algorithms OPENSSL_ADD_ALL_ALGORITHMS # define OpenSSL_add_all_algorithms OPENSSL_ADD_ALL_ALGORITHMS
void OPENSSL_ADD_ALL_ALGORITHMS(void); void OPENSSL_ADD_ALL_ALGORITHMS(void);
# endif # endif
/* Curl defines these to lower case and VAX needs them in upper case */
/* So we need static routines */
# if (OPENSSL_VERSION_NUMBER < 0x00907001L)
# undef des_set_odd_parity
# undef DES_set_odd_parity
# undef des_set_key
# undef DES_set_key
# undef des_ecb_encrypt
# undef DES_ecb_encrypt
static void des_set_odd_parity(des_cblock *key) {
DES_SET_ODD_PARITY(key);
}
static int des_set_key(const_des_cblock *key,
des_key_schedule schedule) {
return DES_SET_KEY(key, schedule);
}
static void des_ecb_encrypt(const_des_cblock *input,
des_cblock *output,
des_key_schedule ks, int enc) {
DES_ECB_ENCRYPT(input, output, ks, enc);
}
#endif
/* Need this to stop a macro redefinition error */
#if OPENSSL_VERSION_NUMBER < 0x00907000L
# ifdef X509_STORE_set_flags
# undef X509_STORE_set_flags
# define X509_STORE_set_flags(x,y) Curl_nop_stmt
# endif
#endif
#endif #endif
#endif /* HEADER_CURL_SETUP_VMS_H */ #endif /* HEADER_CURL_SETUP_VMS_H */

38
lib/sha256.c
View File

@ -32,41 +32,16 @@
#include "curl_sha256.h" #include "curl_sha256.h"
#include "curl_hmac.h" #include "curl_hmac.h"
#ifdef USE_WOLFSSL #ifdef USE_OPENSSL
#include <wolfssl/options.h> #include <openssl/evp.h>
#endif #elif defined(USE_GNUTLS)
#include <nettle/sha.h>
#if defined(USE_OPENSSL) #elif defined(USE_MBEDTLS)
#include <openssl/opensslv.h>
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
#define USE_OPENSSL_SHA256
#endif
#endif /* USE_OPENSSL */
#ifdef USE_MBEDTLS
#include <mbedtls/version.h> #include <mbedtls/version.h>
#if(MBEDTLS_VERSION_NUMBER >= 0x02070000) && \ #if(MBEDTLS_VERSION_NUMBER >= 0x02070000) && \
(MBEDTLS_VERSION_NUMBER < 0x03000000) (MBEDTLS_VERSION_NUMBER < 0x03000000)
#define HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS #define HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
#endif #endif
#endif /* USE_MBEDTLS */
#if defined(USE_OPENSSL_SHA256)
/* When OpenSSL or wolfSSL is available we use their SHA256-functions. */
#if defined(USE_OPENSSL)
#include <openssl/evp.h>
#elif defined(USE_WOLFSSL)
#include <wolfssl/openssl/evp.h>
#endif
#elif defined(USE_GNUTLS)
#include <nettle/sha.h>
#elif defined(USE_MBEDTLS)
#include <mbedtls/sha256.h> #include <mbedtls/sha256.h>
#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \ #elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
(__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \ (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \
@ -95,7 +70,7 @@
* file even if multiple backends are enabled at the same time. * file even if multiple backends are enabled at the same time.
*/ */
#if defined(USE_OPENSSL_SHA256) #ifdef USE_OPENSSL
struct ossl_sha256_ctx { struct ossl_sha256_ctx {
EVP_MD_CTX *openssl_ctx; EVP_MD_CTX *openssl_ctx;
@ -533,5 +508,4 @@ const struct HMAC_params Curl_HMAC_SHA256 = {
32 /* Result size. */ 32 /* Result size. */
}; };
#endif /* AWS, DIGEST, or libssh2 */ #endif /* AWS, DIGEST, or libssh2 */

254
lib/vtls/openssl.c
View File

@ -34,7 +34,7 @@
#include <limits.h> #include <limits.h>
/* Wincrypt must be included before anything that could include OpenSSL. */ /* Wincrypt must be included before anything that could include OpenSSL. */
#if defined(USE_WIN32_CRYPTO) #ifdef USE_WIN32_CRYPTO
#include <wincrypt.h> #include <wincrypt.h>
/* Undefine wincrypt conflicting symbols for BoringSSL. */ /* Undefine wincrypt conflicting symbols for BoringSSL. */
#undef X509_NAME #undef X509_NAME
@ -83,7 +83,7 @@
#include <openssl/tls1.h> #include <openssl/tls1.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#if defined(HAVE_SSL_SET1_ECH_CONFIG_LIST) #ifdef HAVE_SSL_SET1_ECH_CONFIG_LIST
#define USE_ECH_OPENSSL #define USE_ECH_OPENSSL
#endif #endif
@ -93,17 +93,25 @@
# endif # endif
#endif /* USE_ECH_OPENSSL */ #endif /* USE_ECH_OPENSSL */
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP) #ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h> #include <openssl/ocsp.h>
#endif #endif
#if (OPENSSL_VERSION_NUMBER >= 0x0090700fL) && /* 0.9.7 or later */ \ #if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_UI_CONSOLE)
!defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_UI_CONSOLE)
#define USE_OPENSSL_ENGINE #define USE_OPENSSL_ENGINE
#include <openssl/engine.h> #include <openssl/engine.h>
#endif #endif
#if OPENSSL_VERSION_NUMBER >= 0x03000000fL && !defined(OPENSSL_NO_UI_CONSOLE) #ifdef LIBRESSL_VERSION_NUMBER
# /* As of LibreSSL 2.0.0-4.0.0: OPENSSL_VERSION_NUMBER == 0x20000000L */
# if LIBRESSL_VERSION_NUMBER < 0x2090100fL /* 2019-04-13 */
# error "LibreSSL 2.9.1 or later required"
# endif
#elif OPENSSL_VERSION_NUMBER < 0x1000201fL /* 2015-03-19 */
# error "OpenSSL 1.0.2a or later required"
#endif
#if OPENSSL_VERSION_NUMBER >= 0x3000000fL && !defined(OPENSSL_NO_UI_CONSOLE)
#include <openssl/provider.h> #include <openssl/provider.h>
#include <openssl/store.h> #include <openssl/store.h>
/* this is used in the following conditions to make them easier to read */ /* this is used in the following conditions to make them easier to read */
@ -131,20 +139,7 @@
#include <openssl/ui.h> #include <openssl/ui.h>
#endif #endif
#if OPENSSL_VERSION_NUMBER >= 0x00909000L #if OPENSSL_VERSION_NUMBER >= 0x10100000L /* OpenSSL 1.1.0+ and LibreSSL */
#define SSL_METHOD_QUAL const
#else
#define SSL_METHOD_QUAL
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
#define HAVE_ERR_REMOVE_THREAD_STATE 1
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
!(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x20700000L)
#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
#define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */ #define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */
#define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */ #define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */
#define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */ #define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */
@ -157,16 +152,8 @@
#define X509_get0_notBefore(x) X509_get_notBefore(x) #define X509_get0_notBefore(x) X509_get_notBefore(x)
#define X509_get0_notAfter(x) X509_get_notAfter(x) #define X509_get0_notAfter(x) X509_get_notAfter(x)
#define CONST_EXTS /* nope */ #define CONST_EXTS /* nope */
#ifndef LIBRESSL_VERSION_NUMBER
#define OpenSSL_version_num() SSLeay() #define OpenSSL_version_num() SSLeay()
#endif #endif
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \
!(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x20700000L)
#define HAVE_X509_GET0_SIGNATURE 1
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10002003L && \ #if OPENSSL_VERSION_NUMBER >= 0x10002003L && \
OPENSSL_VERSION_NUMBER <= 0x10002FFFL && \ OPENSSL_VERSION_NUMBER <= 0x10002FFFL && \
@ -174,11 +161,6 @@
#define HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 1 #define HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 1
#endif #endif
#if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
/* not present in older OpenSSL */
#define OPENSSL_load_builtin_modules(x)
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
#define HAVE_EVP_PKEY_GET_PARAMS 1 #define HAVE_EVP_PKEY_GET_PARAMS 1
#endif #endif
@ -203,35 +185,21 @@
LIBRESSL_VERSION_NUMBER >= 0x3040100fL)) && \ LIBRESSL_VERSION_NUMBER >= 0x3040100fL)) && \
!defined(OPENSSL_IS_BORINGSSL) !defined(OPENSSL_IS_BORINGSSL)
#define HAVE_SSL_CTX_SET_CIPHERSUITES #define HAVE_SSL_CTX_SET_CIPHERSUITES
#if !defined(OPENSSL_IS_AWSLC) #ifndef OPENSSL_IS_AWSLC
#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH #define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
#endif #endif
#endif #endif
/* #ifdef LIBRESSL_VERSION_NUMBER
* Whether SSL_CTX_set1_curves_list is available.
* OpenSSL: supported since 1.0.2, see
* https://docs.openssl.org/master/man3/SSL_CTX_set1_curves/
* BoringSSL: supported since 5fd1807d95f7 (committed 2016-09-30)
* LibreSSL: since 2.5.3 (April 12, 2017)
*/
#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) || \
defined(OPENSSL_IS_BORINGSSL)
#define HAVE_SSL_CTX_SET_EC_CURVES
#endif
#if defined(LIBRESSL_VERSION_NUMBER)
#define OSSL_PACKAGE "LibreSSL" #define OSSL_PACKAGE "LibreSSL"
#elif defined(OPENSSL_IS_BORINGSSL) #elif defined(OPENSSL_IS_BORINGSSL)
#define OSSL_PACKAGE "BoringSSL" #define OSSL_PACKAGE "BoringSSL"
#elif defined(OPENSSL_IS_AWSLC) #elif defined(OPENSSL_IS_AWSLC)
#define OSSL_PACKAGE "AWS-LC" #define OSSL_PACKAGE "AWS-LC"
#elif (defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || defined(USE_MSH3)
#define OSSL_PACKAGE "quictls"
#else #else
# if (defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || defined(USE_MSH3) #define OSSL_PACKAGE "OpenSSL"
# define OSSL_PACKAGE "quictls"
# else
# define OSSL_PACKAGE "OpenSSL"
#endif
#endif #endif
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
@ -265,8 +233,6 @@ typedef int numcert_t;
#endif #endif
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
!(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x2070100fL) && \
!defined(OPENSSL_IS_BORINGSSL) && \ !defined(OPENSSL_IS_BORINGSSL) && \
!defined(OPENSSL_IS_AWSLC) !defined(OPENSSL_IS_AWSLC)
#define HAVE_OPENSSL_VERSION #define HAVE_OPENSSL_VERSION
@ -287,13 +253,6 @@ typedef unsigned long sslerr_t;
#define HAVE_SSL_X509_STORE_SHARE #define HAVE_SSL_X509_STORE_SHARE
#endif #endif
/* What API version do we use? */
#if defined(LIBRESSL_VERSION_NUMBER)
#define USE_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
#else /* !LIBRESSL_VERSION_NUMBER */
#define USE_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
#endif /* !LIBRESSL_VERSION_NUMBER */
static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl); static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl);
static CURLcode push_certinfo(struct Curl_easy *data, static CURLcode push_certinfo(struct Curl_easy *data,
@ -449,7 +408,7 @@ static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl)
if(result) if(result)
break; break;
#if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS) #ifdef HAVE_X509_GET0_EXTENSIONS
{ {
const X509_ALGOR *sigalg = NULL; const X509_ALGOR *sigalg = NULL;
X509_PUBKEY *xpubkey = NULL; X509_PUBKEY *xpubkey = NULL;
@ -666,21 +625,19 @@ static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl)
#ifdef USE_OPENSSL #ifdef USE_OPENSSL
#if USE_PRE_1_1_API #if OPENSSL_VERSION_NUMBER < 0x10100000L
#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
#define BIO_set_init(x,v) ((x)->init=(v)) #define BIO_set_init(x,v) ((x)->init=(v))
#define BIO_get_data(x) ((x)->ptr) #define BIO_get_data(x) ((x)->ptr)
#define BIO_set_data(x,v) ((x)->ptr=(v)) #define BIO_set_data(x,v) ((x)->ptr=(v))
#endif
#define BIO_get_shutdown(x) ((x)->shutdown) #define BIO_get_shutdown(x) ((x)->shutdown)
#define BIO_set_shutdown(x,v) ((x)->shutdown=(v)) #define BIO_set_shutdown(x,v) ((x)->shutdown=(v))
#endif /* USE_PRE_1_1_API */ #endif /* HAVE_PRE_1_1_API */
static int ossl_bio_cf_create(BIO *bio) static int ossl_bio_cf_create(BIO *bio)
{ {
BIO_set_shutdown(bio, 1); BIO_set_shutdown(bio, 1);
BIO_set_init(bio, 1); BIO_set_init(bio, 1);
#if USE_PRE_1_1_API #if OPENSSL_VERSION_NUMBER < 0x10100000L
bio->num = -1; bio->num = -1;
#endif #endif
BIO_set_data(bio, NULL); BIO_set_data(bio, NULL);
@ -797,7 +754,7 @@ static int ossl_bio_cf_in_read(BIO *bio, char *buf, int blen)
return (int)nread; return (int)nread;
} }
#if USE_PRE_1_1_API #if OPENSSL_VERSION_NUMBER < 0x10100000L
static BIO_METHOD ossl_bio_cf_meth_1_0 = { static BIO_METHOD ossl_bio_cf_meth_1_0 = {
BIO_TYPE_MEM, BIO_TYPE_MEM,
@ -866,9 +823,7 @@ ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done)
if(!session || *keylog_done) if(!session || *keylog_done)
return; return;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
!(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x20700000L)
/* ssl->s3 is not checked in OpenSSL 1.1.0-pre6, but let's assume that /* ssl->s3 is not checked in OpenSSL 1.1.0-pre6, but let's assume that
* we have a valid SSL context if we have a non-NULL session. */ * we have a valid SSL context if we have a non-NULL session. */
SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE); SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE);
@ -915,15 +870,15 @@ static const char *SSL_ERROR_to_str(int err)
return "SSL_ERROR_WANT_CONNECT"; return "SSL_ERROR_WANT_CONNECT";
case SSL_ERROR_WANT_ACCEPT: case SSL_ERROR_WANT_ACCEPT:
return "SSL_ERROR_WANT_ACCEPT"; return "SSL_ERROR_WANT_ACCEPT";
#if defined(SSL_ERROR_WANT_ASYNC) #ifdef SSL_ERROR_WANT_ASYNC
case SSL_ERROR_WANT_ASYNC: case SSL_ERROR_WANT_ASYNC:
return "SSL_ERROR_WANT_ASYNC"; return "SSL_ERROR_WANT_ASYNC";
#endif #endif
#if defined(SSL_ERROR_WANT_ASYNC_JOB) #ifdef SSL_ERROR_WANT_ASYNC_JOB
case SSL_ERROR_WANT_ASYNC_JOB: case SSL_ERROR_WANT_ASYNC_JOB:
return "SSL_ERROR_WANT_ASYNC_JOB"; return "SSL_ERROR_WANT_ASYNC_JOB";
#endif #endif
#if defined(SSL_ERROR_WANT_EARLY) #ifdef SSL_ERROR_WANT_EARLY
case SSL_ERROR_WANT_EARLY: case SSL_ERROR_WANT_EARLY:
return "SSL_ERROR_WANT_EARLY"; return "SSL_ERROR_WANT_EARLY";
#endif #endif
@ -1207,10 +1162,6 @@ static int
use_certificate_chain_blob(SSL_CTX *ctx, const struct curl_blob *blob, use_certificate_chain_blob(SSL_CTX *ctx, const struct curl_blob *blob,
const char *key_passwd) const char *key_passwd)
{ {
/* SSL_CTX_add1_chain_cert introduced in OpenSSL 1.0.2 */
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* OpenSSL 1.0.2 or later */ \
!(defined(LIBRESSL_VERSION_NUMBER) && \
(LIBRESSL_VERSION_NUMBER < 0x2090100fL)) /* LibreSSL 2.9.1 or later */
int ret = 0; int ret = 0;
X509 *x = NULL; X509 *x = NULL;
void *passwd_callback_userdata = (void *)key_passwd; void *passwd_callback_userdata = (void *)key_passwd;
@ -1262,12 +1213,6 @@ end:
X509_free(x); X509_free(x);
BIO_free(in); BIO_free(in);
return ret; return ret;
#else
(void)ctx; /* unused */
(void)blob; /* unused */
(void)key_passwd; /* unused */
return 0;
#endif
} }
static static
@ -1844,8 +1789,7 @@ static CURLcode x509_name_oneline(X509_NAME *a, struct dynbuf *d)
*/ */
static int ossl_init(void) static int ossl_init(void)
{ {
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
(!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
const uint64_t flags = const uint64_t flags =
#ifdef OPENSSL_INIT_ENGINE_ALL_BUILTIN #ifdef OPENSSL_INIT_ENGINE_ALL_BUILTIN
/* not present in BoringSSL */ /* not present in BoringSSL */
@ -1895,8 +1839,7 @@ static int ossl_init(void)
/* Global cleanup */ /* Global cleanup */
static void ossl_cleanup(void) static void ossl_cleanup(void)
{ {
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
(!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
/* OpenSSL 1.1 deprecates all these cleanup functions and /* OpenSSL 1.1 deprecates all these cleanup functions and
turns them into no-ops in OpenSSL 1.0 compatibility mode */ turns them into no-ops in OpenSSL 1.0 compatibility mode */
#else #else
@ -1912,11 +1855,7 @@ static void ossl_cleanup(void)
ERR_free_strings(); ERR_free_strings();
/* Free thread local error state, destroying hash upon zero refcount */ /* Free thread local error state, destroying hash upon zero refcount */
#ifdef HAVE_ERR_REMOVE_THREAD_STATE
ERR_remove_thread_state(NULL); ERR_remove_thread_state(NULL);
#else
ERR_remove_state(0);
#endif
/* Free all memory allocated by all configuration modules */ /* Free all memory allocated by all configuration modules */
CONF_modules_free(); CONF_modules_free();
@ -1934,18 +1873,7 @@ static void ossl_cleanup(void)
static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine) static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine)
{ {
#ifdef USE_OPENSSL_ENGINE #ifdef USE_OPENSSL_ENGINE
ENGINE *e; ENGINE *e = ENGINE_by_id(engine);
#if OPENSSL_VERSION_NUMBER >= 0x00909000L
e = ENGINE_by_id(engine);
#else
/* avoid memory leak */
for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
const char *e_id = ENGINE_get_id(e);
if(!strcmp(engine, e_id))
break;
}
#endif
if(!e) { if(!e) {
failf(data, "SSL Engine '%s' not found", engine); failf(data, "SSL Engine '%s' not found", engine);
@ -2204,8 +2132,7 @@ static void ossl_close_all(struct Curl_easy *data)
#else #else
(void)data; (void)data;
#endif #endif
#if !defined(HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED) && \ #ifndef HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED
defined(HAVE_ERR_REMOVE_THREAD_STATE)
/* OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread /* OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
so we need to clean it here in case the thread will be killed. All OpenSSL so we need to clean it here in case the thread will be killed. All OpenSSL
code should extract the error in association with the error so clearing code should extract the error in association with the error so clearing
@ -2463,14 +2390,13 @@ static CURLcode ossl_verifyhost(struct Curl_easy *data,
return result; return result;
} }
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
!defined(OPENSSL_NO_OCSP)
static CURLcode verifystatus(struct Curl_cfilter *cf, static CURLcode verifystatus(struct Curl_cfilter *cf,
struct Curl_easy *data, struct Curl_easy *data,
struct ossl_ctx *octx) struct ossl_ctx *octx)
{ {
int i, ocsp_status; int i, ocsp_status;
#if defined(OPENSSL_IS_AWSLC) #ifdef OPENSSL_IS_AWSLC
const uint8_t *status; const uint8_t *status;
#else #else
unsigned char *status; unsigned char *status;
@ -2529,34 +2455,6 @@ static CURLcode verifystatus(struct Curl_cfilter *cf,
} }
st = SSL_CTX_get_cert_store(octx->ssl_ctx); st = SSL_CTX_get_cert_store(octx->ssl_ctx);
#if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \
(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER <= 0x2040200fL))
/* The authorized responder cert in the OCSP response MUST be signed by the
peer cert's issuer (see RFC6960 section 4.2.2.2). If that is a root cert,
no problem, but if it is an intermediate cert OpenSSL has a bug where it
expects this issuer to be present in the chain embedded in the OCSP
response. So we add it if necessary. */
/* First make sure the peer cert chain includes both a peer and an issuer,
and the OCSP response contains a responder cert. */
if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
/* Find issuer of responder cert and add it to the OCSP response chain */
for(i = 0; i < sk_X509_num(ch); i++) {
X509 *issuer = sk_X509_value(ch, i);
if(X509_check_issued(issuer, responder) == X509_V_OK) {
if(!OCSP_basic_add1_cert(br, issuer)) {
failf(data, "Could not add issuer cert to OCSP response");
result = CURLE_SSL_INVALIDCERTSTATUS;
goto end;
}
}
}
}
#endif
if(OCSP_basic_verify(br, ch, st, 0) <= 0) { if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
failf(data, "OCSP response verification failed"); failf(data, "OCSP response verification failed");
result = CURLE_SSL_INVALIDCERTSTATUS; result = CURLE_SSL_INVALIDCERTSTATUS;
@ -2856,9 +2754,8 @@ static void ossl_trace(int direction, int ssl_ver, int content_type,
#ifdef USE_OPENSSL #ifdef USE_OPENSSL
/* ====================================================== */ /* ====================================================== */
/* Check for OpenSSL 1.0.2 which has ALPN support. */ /* Check for ALPN support. */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L \ #ifndef OPENSSL_NO_TLSEXT
&& !defined(OPENSSL_NO_TLSEXT)
# define HAS_ALPN_OPENSSL # define HAS_ALPN_OPENSSL
#endif #endif
@ -2991,20 +2888,10 @@ ossl_set_ssl_version_min_max_legacy(ctx_option_t *ctx_options,
#endif #endif
FALLTHROUGH(); FALLTHROUGH();
case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_2:
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
*ctx_options |= SSL_OP_NO_TLSv1_1; *ctx_options |= SSL_OP_NO_TLSv1_1;
#else
failf(data, OSSL_PACKAGE " was built without TLS 1.2 support");
return CURLE_NOT_BUILT_IN;
#endif
FALLTHROUGH(); FALLTHROUGH();
case CURL_SSLVERSION_TLSv1_1: case CURL_SSLVERSION_TLSv1_1:
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
*ctx_options |= SSL_OP_NO_TLSv1; *ctx_options |= SSL_OP_NO_TLSv1;
#else
failf(data, OSSL_PACKAGE " was built without TLS 1.1 support");
return CURLE_NOT_BUILT_IN;
#endif
FALLTHROUGH(); FALLTHROUGH();
case CURL_SSLVERSION_TLSv1_0: case CURL_SSLVERSION_TLSv1_0:
case CURL_SSLVERSION_TLSv1: case CURL_SSLVERSION_TLSv1:
@ -3013,14 +2900,10 @@ ossl_set_ssl_version_min_max_legacy(ctx_option_t *ctx_options,
switch(ssl_version_max) { switch(ssl_version_max) {
case CURL_SSLVERSION_MAX_TLSv1_0: case CURL_SSLVERSION_MAX_TLSv1_0:
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
*ctx_options |= SSL_OP_NO_TLSv1_1; *ctx_options |= SSL_OP_NO_TLSv1_1;
#endif
FALLTHROUGH(); FALLTHROUGH();
case CURL_SSLVERSION_MAX_TLSv1_1: case CURL_SSLVERSION_MAX_TLSv1_1:
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
*ctx_options |= SSL_OP_NO_TLSv1_2; *ctx_options |= SSL_OP_NO_TLSv1_2;
#endif
FALLTHROUGH(); FALLTHROUGH();
case CURL_SSLVERSION_MAX_TLSv1_2: case CURL_SSLVERSION_MAX_TLSv1_2:
#ifdef TLS1_3_VERSION #ifdef TLS1_3_VERSION
@ -3165,7 +3048,7 @@ static CURLcode load_cacert_from_memory(X509_STORE *store,
return (count > 0) ? CURLE_OK : CURLE_SSL_CACERT_BADFILE; return (count > 0) ? CURLE_OK : CURLE_SSL_CACERT_BADFILE;
} }
#if defined(USE_WIN32_CRYPTO) #ifdef USE_WIN32_CRYPTO
static CURLcode import_windows_cert_store(struct Curl_easy *data, static CURLcode import_windows_cert_store(struct Curl_easy *data,
const char *name, const char *name,
X509_STORE *store, X509_STORE *store,
@ -3333,7 +3216,7 @@ static CURLcode ossl_populate_x509_store(struct Curl_cfilter *cf,
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
if(verifypeer) { if(verifypeer) {
#if defined(USE_WIN32_CRYPTO) #ifdef USE_WIN32_CRYPTO
/* Import certificates from the Windows root certificate store if /* Import certificates from the Windows root certificate store if
requested. requested.
https://stackoverflow.com/questions/9507184/ https://stackoverflow.com/questions/9507184/
@ -3451,7 +3334,7 @@ static CURLcode ossl_populate_x509_store(struct Curl_cfilter *cf,
https://web.archive.org/web/20190422050538/ https://web.archive.org/web/20190422050538/
rt.openssl.org/Ticket/Display.html?id=3621 rt.openssl.org/Ticket/Display.html?id=3621
*/ */
#if defined(X509_V_FLAG_TRUSTED_FIRST) #ifdef X509_V_FLAG_TRUSTED_FIRST
X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST); X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
#endif #endif
#ifdef X509_V_FLAG_PARTIAL_CHAIN #ifdef X509_V_FLAG_PARTIAL_CHAIN
@ -3472,7 +3355,7 @@ static CURLcode ossl_populate_x509_store(struct Curl_cfilter *cf,
return result; return result;
} }
#if defined(HAVE_SSL_X509_STORE_SHARE) #ifdef HAVE_SSL_X509_STORE_SHARE
/* key to use at `multi->proto_hash` */ /* key to use at `multi->proto_hash` */
#define MPROTO_OSSL_X509_KEY "tls:ossl:x509:share" #define MPROTO_OSSL_X509_KEY "tls:ossl:x509:share"
@ -3652,7 +3535,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
const char *ciphers; const char *ciphers;
SSL_METHOD_QUAL SSL_METHOD *req_method = NULL; const SSL_METHOD *req_method = NULL;
ctx_option_t ctx_options = 0; ctx_option_t ctx_options = 0;
struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
@ -3891,7 +3774,6 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
SSL_CTX_set_post_handshake_auth(octx->ssl_ctx, 1); SSL_CTX_set_post_handshake_auth(octx->ssl_ctx, 1);
#endif #endif
#ifdef HAVE_SSL_CTX_SET_EC_CURVES
{ {
const char *curves = conn_config->curves; const char *curves = conn_config->curves;
if(curves) { if(curves) {
@ -3901,7 +3783,6 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
} }
} }
} }
#endif
#ifdef USE_OPENSSL_SRP #ifdef USE_OPENSSL_SRP
if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) { if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) {
@ -3985,8 +3866,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
SSL_set_app_data(octx->ssl, ssl_user_data); SSL_set_app_data(octx->ssl, ssl_user_data);
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
!defined(OPENSSL_NO_OCSP)
if(conn_config->verifystatus) if(conn_config->verifystatus)
SSL_set_tlsext_status_type(octx->ssl, TLSEXT_STATUSTYPE_ocsp); SSL_set_tlsext_status_type(octx->ssl, TLSEXT_STATUSTYPE_ocsp);
#endif #endif
@ -4388,7 +4268,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
else else
failf(data, "%s", "SSL certificate verification failed"); failf(data, "%s", "SSL certificate verification failed");
} }
#if defined(SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED) #ifdef SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED
/* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */ OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */
else if((lib == ERR_LIB_SSL) && else if((lib == ERR_LIB_SSL) &&
@ -4857,8 +4737,7 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf,
} }
infof_certstack(data, octx->ssl); infof_certstack(data, octx->ssl);
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
!defined(OPENSSL_NO_OCSP)
if(conn_config->verifystatus && !octx->reused_session) { if(conn_config->verifystatus && !octx->reused_session) {
/* do not do this after Session ID reuse */ /* do not do this after Session ID reuse */
result = verifystatus(cf, data, octx); result = verifystatus(cf, data, octx);
@ -5254,7 +5133,6 @@ static CURLcode ossl_get_channel_binding(struct Curl_easy *data, int sockindex,
size_t Curl_ossl_version(char *buffer, size_t size) size_t Curl_ossl_version(char *buffer, size_t size)
{ {
#ifdef LIBRESSL_VERSION_NUMBER #ifdef LIBRESSL_VERSION_NUMBER
#ifdef HAVE_OPENSSL_VERSION
char *p; char *p;
size_t count; size_t count;
const char *ver = OpenSSL_version(OPENSSL_VERSION); const char *ver = OpenSSL_version(OPENSSL_VERSION);
@ -5268,13 +5146,6 @@ size_t Curl_ossl_version(char *buffer, size_t size)
*p = '_'; *p = '_';
} }
return count; return count;
#else
return msnprintf(buffer, size, "%s/%lx.%lx.%lx",
OSSL_PACKAGE,
(LIBRESSL_VERSION_NUMBER >> 28) & 0xf,
(LIBRESSL_VERSION_NUMBER >> 20) & 0xff,
(LIBRESSL_VERSION_NUMBER >> 12) & 0xff);
#endif
#elif defined(OPENSSL_IS_BORINGSSL) #elif defined(OPENSSL_IS_BORINGSSL)
#ifdef CURL_BORINGSSL_VERSION #ifdef CURL_BORINGSSL_VERSION
return msnprintf(buffer, size, "%s/%s", return msnprintf(buffer, size, "%s/%s",
@ -5298,25 +5169,19 @@ size_t Curl_ossl_version(char *buffer, size_t size)
sub[2]='\0'; sub[2]='\0';
sub[1]='\0'; sub[1]='\0';
ssleay_value = OpenSSL_version_num(); ssleay_value = OpenSSL_version_num();
if(ssleay_value < 0x906000) { if(ssleay_value&0xff0) {
ssleay_value = SSLEAY_VERSION_NUMBER; int minor_ver = (ssleay_value >> 4) & 0xff;
sub[0]='\0'; if(minor_ver > 26) {
} /* handle extended version introduced for 0.9.8za */
else { sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
if(ssleay_value&0xff0) { sub[0] = 'z';
int minor_ver = (ssleay_value >> 4) & 0xff; }
if(minor_ver > 26) { else {
/* handle extended version introduced for 0.9.8za */ sub[0] = (char) (minor_ver + 'a' - 1);
sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
sub[0] = 'z';
}
else {
sub[0] = (char) (minor_ver + 'a' - 1);
}
} }
else
sub[0]='\0';
} }
else
sub[0]='\0';
return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s" return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s"
#ifdef OPENSSL_FIPS #ifdef OPENSSL_FIPS
@ -5349,7 +5214,7 @@ static CURLcode ossl_random(struct Curl_easy *data,
return rc == 1 ? CURLE_OK : CURLE_FAILED_INIT; return rc == 1 ? CURLE_OK : CURLE_FAILED_INIT;
} }
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) #ifndef OPENSSL_NO_SHA256
static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */ static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */
size_t tmplen, size_t tmplen,
unsigned char *sha256sum /* output */, unsigned char *sha256sum /* output */,
@ -5375,8 +5240,7 @@ static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */
static bool ossl_cert_status_request(void) static bool ossl_cert_status_request(void)
{ {
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
!defined(OPENSSL_NO_OCSP)
return TRUE; return TRUE;
#else #else
return FALSE; return FALSE;
@ -5429,7 +5293,7 @@ const struct Curl_ssl Curl_ssl_openssl = {
ossl_set_engine_default, /* set_engine_default */ ossl_set_engine_default, /* set_engine_default */
ossl_engines_list, /* engines_list */ ossl_engines_list, /* engines_list */
NULL, /* false_start */ NULL, /* false_start */
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) #ifndef OPENSSL_NO_SHA256
ossl_sha256sum, /* sha256sum */ ossl_sha256sum, /* sha256sum */
#else #else
NULL, /* sha256sum */ NULL, /* sha256sum */