ITS#9323 - Limit to OpenSSL 1.0.2 or later

c1411b81 · Quanah Gibson-Mount · 9666306d · c1411b81 · c1411b81 · c1411b81
Commit c1411b81 authored Aug 25, 2020 by Quanah Gibson-Mount
--- a/build/openldap.m4
+++ b/build/openldap.m4
@@ -806,19 +806,3 @@ AC_DEFUN([OL_SASL_COMPAT],
 #endif
 	],	[ol_cv_sasl_compat=yes], [ol_cv_sasl_compat=no])])
 ])
-dnl ====================================================================
-dnl check for SSL compatibility
-AC_DEFUN([OL_SSL_COMPAT],
-[AC_CACHE_CHECK([OpenSSL library version (CRL checking capability)],
-	[ol_cv_ssl_crl_compat],[
-		AC_EGREP_CPP(__ssl_compat,[
-#ifdef HAVE_OPENSSL_SSL_H
-#include <openssl/ssl.h>
-#endif
-
-/* Require 0.9.7d+ */
-#if OPENSSL_VERSION_NUMBER >= 0x0090704fL
-	char *__ssl_compat = "0.9.7d";
-#endif
-	], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
-])
--- a/configure.in
+++ b/configure.in
@@ -1163,6 +1163,13 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
 	AC_CHECK_HEADERS(openssl/ssl.h)

 	if test $ac_cv_header_openssl_ssl_h = yes ; then
+			AC_PREPROC_IFELSE([AC_LANG_SOURCE(
+				[[#include <openssl/opensslv.h>]
+[#if OPENSSL_VERSION_NUMBER < 0x1000200fL]
+[#error "OpenSSL is too old"]
+[#endif]])],
+					, [AC_MSG_FAILURE([OpenSSL 1.0.2a or newer required])])
+
 		AC_CHECK_LIB(ssl, SSL_CTX_set_msg_callback,
 			[have_openssl=yes
 			need_rsaref=no], [have_openssl=no],
@@ -1191,12 +1198,6 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
 			else
 				TLS_LIBS="-lssl -lcrypto"
 			fi
-
-			OL_SSL_COMPAT
-			if test $ol_cv_ssl_crl_compat = yes ; then
-				AC_DEFINE(HAVE_OPENSSL_CRL, 1, 
-					[define if you have OpenSSL with CRL checking capability])
-			fi
 		fi
 	fi
 fi

--- a/include/portable.hin
+++ b/include/portable.hin
@@ -373,9 +373,6 @@
 /* Define to 1 if you have the <openssl/bn.h> header file. */
 #undef HAVE_OPENSSL_BN_H

-/* define if you have OpenSSL with CRL checking capability */
-#undef HAVE_OPENSSL_CRL
-
 /* Define to 1 if you have the <openssl/crypto.h> header file. */
 #undef HAVE_OPENSSL_CRYPTO_H


--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -126,7 +126,7 @@ static const struct ol_attribute {
 	{0, ATTR_TLS,	"TLS_PEERKEY_HASH",	NULL,	LDAP_OPT_X_TLS_PEERKEY_HASH},
 	{0, ATTR_TLS,	"TLS_ECNAME",		NULL,	LDAP_OPT_X_TLS_ECNAME},

-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	{0, ATTR_TLS,	"TLS_CRLCHECK",		NULL,	LDAP_OPT_X_TLS_CRLCHECK},
 #endif
 #ifdef HAVE_GNUTLS

--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -629,7 +629,7 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg )
 		}
 		return ldap_pvt_tls_set_option( ld, option, &i );
 		}
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
 		i = -1;
 		if ( strcasecmp( arg, "none" ) == 0 ) {
@@ -719,7 +719,7 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 	case LDAP_OPT_X_TLS_REQUIRE_SAN:
 		*(int *)arg = lo->ldo_tls_require_san;
 		break;
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
 		*(int *)arg = lo->ldo_tls_crlcheck;
 		break;
@@ -937,7 +937,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 			return 0;
 		}
 		return -1;
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
 		if ( !arg ) return -1;
 		switch( *(int *) arg ) {

--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -46,8 +46,6 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/dh.h>
-#elif defined( HAVE_SSL_H )
-#include <ssl.h>
 #endif

 #if OPENSSL_VERSION_NUMBER >= 0x10100000
@@ -244,11 +242,7 @@ tlso_destroy( void )

 #if OPENSSL_VERSION_NUMBER < 0x10100000
 	EVP_cleanup();
-#if OPENSSL_VERSION_NUMBER < 0x10000000
-	ERR_remove_state(0);
-#else
 	ERR_remove_thread_state(NULL);
-#endif
 	ERR_free_strings();
 #endif

@@ -498,7 +492,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 #if OPENSSL_VERSION_NUMBER < 0x10100000
 	SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
 #endif
-#ifdef HAVE_OPENSSL_CRL
 	if ( lo->ldo_tls_crlcheck ) {
 		X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
 		if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
@@ -508,7 +501,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 					X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL  );
 		}
 	}
-#endif
 	return 0;
 }

@@ -904,7 +896,6 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
 static int
 tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
 {
-#if OPENSSL_VERSION_NUMBER >= 0x00908000
 	tlso_session *s = (tlso_session *)sess;
 	const EVP_MD *md;
 	unsigned int md_len;
@@ -944,9 +935,6 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
 	buf->bv_len = md_len;

 	return md_len;
-#else
-	return 0;
-#endif
 }

 static const char *
@@ -1470,7 +1458,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
 	RSA *tmp_rsa;
 	/* FIXME:  Pregenerate the key on startup */
 	/* FIXME:  Who frees the key? */
-#if OPENSSL_VERSION_NUMBER >= 0x00908000
 	BIGNUM *bn = BN_new();
 	tmp_rsa = NULL;
 	if ( bn ) {
@@ -1483,9 +1470,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
 		}
 		BN_free( bn );
 	}
-#else
-	tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
-#endif

 	if ( !tmp_rsa ) {
 		Debug2( LDAP_DEBUG_ANY,

--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -812,7 +812,7 @@ static ConfigTable config_back_cf_table[] = {
 			"EQUALITY caseExactMatch "
 			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 	{ "TLSCRLCheck", NULL, 2, 2, 0,
-#if defined(HAVE_TLS) && defined(HAVE_OPENSSL_CRL)
+#if defined(HAVE_TLS) && defined(HAVE_OPENSSL)
 		CFG_TLS_CRLCHECK|ARG_STRING|ARG_MAGIC, &config_tls_config,
 #else
 		ARG_IGNORED, NULL,

--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1492,7 +1492,7 @@ static slap_cf_aux_table bindkey[] = {
 	{ BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
 	{ BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
 	{ BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL },
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	{ BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
 #endif
 #endif
@@ -1873,7 +1873,7 @@ void bindconf_free( slap_bindconf *bc ) {
 		ch_free( bc->sb_tls_ecname );
 		bc->sb_tls_ecname = NULL;
 	}
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	if ( bc->sb_tls_crlcheck ) {
 		ch_free( bc->sb_tls_crlcheck );
 		bc->sb_tls_crlcheck = NULL;
@@ -1913,7 +1913,7 @@ bindconf_tls_defaults( slap_bindconf *bc )
 		if ( !bc->sb_tls_ecname )
 			slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME,
 				&bc->sb_tls_ecname );
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 		if ( !bc->sb_tls_crlcheck )
 			slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
 				&bc->sb_tls_crlcheck );
@@ -1986,7 +1986,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 			res = -1;
 		}
 	}
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	if ( bc->sb_tls_crlcheck ) {
 		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
 			bc->sb_tls_crlcheck );

--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1655,7 +1655,7 @@ typedef struct slap_bindconf {
 	char *sb_tls_cipher_suite;
 	char *sb_tls_protocol_min;
 	char *sb_tls_ecname;
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	char *sb_tls_crlcheck;
 #endif
 	int sb_tls_do_init;