Commit c1411b81 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#9323 - Limit to OpenSSL 1.0.2 or later

parent 9666306d
Pipeline #771 passed with stage
in 28 minutes and 59 seconds
...@@ -806,19 +806,3 @@ AC_DEFUN([OL_SASL_COMPAT], ...@@ -806,19 +806,3 @@ AC_DEFUN([OL_SASL_COMPAT],
#endif #endif
], [ol_cv_sasl_compat=yes], [ol_cv_sasl_compat=no])]) ], [ol_cv_sasl_compat=yes], [ol_cv_sasl_compat=no])])
]) ])
dnl ====================================================================
dnl check for SSL compatibility
AC_DEFUN([OL_SSL_COMPAT],
[AC_CACHE_CHECK([OpenSSL library version (CRL checking capability)],
[ol_cv_ssl_crl_compat],[
AC_EGREP_CPP(__ssl_compat,[
#ifdef HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
#endif
/* Require 0.9.7d+ */
#if OPENSSL_VERSION_NUMBER >= 0x0090704fL
char *__ssl_compat = "0.9.7d";
#endif
], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
])
...@@ -1163,6 +1163,13 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then ...@@ -1163,6 +1163,13 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
AC_CHECK_HEADERS(openssl/ssl.h) AC_CHECK_HEADERS(openssl/ssl.h)
if test $ac_cv_header_openssl_ssl_h = yes ; then if test $ac_cv_header_openssl_ssl_h = yes ; then
AC_PREPROC_IFELSE([AC_LANG_SOURCE(
[[#include <openssl/opensslv.h>]
[#if OPENSSL_VERSION_NUMBER < 0x1000200fL]
[#error "OpenSSL is too old"]
[#endif]])],
, [AC_MSG_FAILURE([OpenSSL 1.0.2a or newer required])])
AC_CHECK_LIB(ssl, SSL_CTX_set_msg_callback, AC_CHECK_LIB(ssl, SSL_CTX_set_msg_callback,
[have_openssl=yes [have_openssl=yes
need_rsaref=no], [have_openssl=no], need_rsaref=no], [have_openssl=no],
...@@ -1191,12 +1198,6 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then ...@@ -1191,12 +1198,6 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
else else
TLS_LIBS="-lssl -lcrypto" TLS_LIBS="-lssl -lcrypto"
fi fi
OL_SSL_COMPAT
if test $ol_cv_ssl_crl_compat = yes ; then
AC_DEFINE(HAVE_OPENSSL_CRL, 1,
[define if you have OpenSSL with CRL checking capability])
fi
fi fi
fi fi
fi fi
......
...@@ -373,9 +373,6 @@ ...@@ -373,9 +373,6 @@
/* Define to 1 if you have the <openssl/bn.h> header file. */ /* Define to 1 if you have the <openssl/bn.h> header file. */
#undef HAVE_OPENSSL_BN_H #undef HAVE_OPENSSL_BN_H
/* define if you have OpenSSL with CRL checking capability */
#undef HAVE_OPENSSL_CRL
/* Define to 1 if you have the <openssl/crypto.h> header file. */ /* Define to 1 if you have the <openssl/crypto.h> header file. */
#undef HAVE_OPENSSL_CRYPTO_H #undef HAVE_OPENSSL_CRYPTO_H
......
...@@ -126,7 +126,7 @@ static const struct ol_attribute { ...@@ -126,7 +126,7 @@ static const struct ol_attribute {
{0, ATTR_TLS, "TLS_PEERKEY_HASH", NULL, LDAP_OPT_X_TLS_PEERKEY_HASH}, {0, ATTR_TLS, "TLS_PEERKEY_HASH", NULL, LDAP_OPT_X_TLS_PEERKEY_HASH},
{0, ATTR_TLS, "TLS_ECNAME", NULL, LDAP_OPT_X_TLS_ECNAME}, {0, ATTR_TLS, "TLS_ECNAME", NULL, LDAP_OPT_X_TLS_ECNAME},
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
{0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK}, {0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK},
#endif #endif
#ifdef HAVE_GNUTLS #ifdef HAVE_GNUTLS
......
...@@ -629,7 +629,7 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg ) ...@@ -629,7 +629,7 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg )
} }
return ldap_pvt_tls_set_option( ld, option, &i ); return ldap_pvt_tls_set_option( ld, option, &i );
} }
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
i = -1; i = -1;
if ( strcasecmp( arg, "none" ) == 0 ) { if ( strcasecmp( arg, "none" ) == 0 ) {
...@@ -719,7 +719,7 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) ...@@ -719,7 +719,7 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case LDAP_OPT_X_TLS_REQUIRE_SAN: case LDAP_OPT_X_TLS_REQUIRE_SAN:
*(int *)arg = lo->ldo_tls_require_san; *(int *)arg = lo->ldo_tls_require_san;
break; break;
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
*(int *)arg = lo->ldo_tls_crlcheck; *(int *)arg = lo->ldo_tls_crlcheck;
break; break;
...@@ -937,7 +937,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) ...@@ -937,7 +937,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
return 0; return 0;
} }
return -1; return -1;
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
if ( !arg ) return -1; if ( !arg ) return -1;
switch( *(int *) arg ) { switch( *(int *) arg ) {
......
...@@ -46,8 +46,6 @@ ...@@ -46,8 +46,6 @@
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/rsa.h> #include <openssl/rsa.h>
#include <openssl/dh.h> #include <openssl/dh.h>
#elif defined( HAVE_SSL_H )
#include <ssl.h>
#endif #endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000 #if OPENSSL_VERSION_NUMBER >= 0x10100000
...@@ -244,11 +242,7 @@ tlso_destroy( void ) ...@@ -244,11 +242,7 @@ tlso_destroy( void )
#if OPENSSL_VERSION_NUMBER < 0x10100000 #if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_cleanup(); EVP_cleanup();
#if OPENSSL_VERSION_NUMBER < 0x10000000
ERR_remove_state(0);
#else
ERR_remove_thread_state(NULL); ERR_remove_thread_state(NULL);
#endif
ERR_free_strings(); ERR_free_strings();
#endif #endif
...@@ -498,7 +492,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) ...@@ -498,7 +492,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#if OPENSSL_VERSION_NUMBER < 0x10100000 #if OPENSSL_VERSION_NUMBER < 0x10100000
SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
#endif #endif
#ifdef HAVE_OPENSSL_CRL
if ( lo->ldo_tls_crlcheck ) { if ( lo->ldo_tls_crlcheck ) {
X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) { if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
...@@ -508,7 +501,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) ...@@ -508,7 +501,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL ); X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL );
} }
} }
#endif
return 0; return 0;
} }
...@@ -904,7 +896,6 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server) ...@@ -904,7 +896,6 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
static int static int
tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
{ {
#if OPENSSL_VERSION_NUMBER >= 0x00908000
tlso_session *s = (tlso_session *)sess; tlso_session *s = (tlso_session *)sess;
const EVP_MD *md; const EVP_MD *md;
unsigned int md_len; unsigned int md_len;
...@@ -944,9 +935,6 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) ...@@ -944,9 +935,6 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
buf->bv_len = md_len; buf->bv_len = md_len;
return md_len; return md_len;
#else
return 0;
#endif
} }
static const char * static const char *
...@@ -1470,7 +1458,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) ...@@ -1470,7 +1458,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
RSA *tmp_rsa; RSA *tmp_rsa;
/* FIXME: Pregenerate the key on startup */ /* FIXME: Pregenerate the key on startup */
/* FIXME: Who frees the key? */ /* FIXME: Who frees the key? */
#if OPENSSL_VERSION_NUMBER >= 0x00908000
BIGNUM *bn = BN_new(); BIGNUM *bn = BN_new();
tmp_rsa = NULL; tmp_rsa = NULL;
if ( bn ) { if ( bn ) {
...@@ -1483,9 +1470,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) ...@@ -1483,9 +1470,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
} }
BN_free( bn ); BN_free( bn );
} }
#else
tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
#endif
if ( !tmp_rsa ) { if ( !tmp_rsa ) {
Debug2( LDAP_DEBUG_ANY, Debug2( LDAP_DEBUG_ANY,
......
...@@ -812,7 +812,7 @@ static ConfigTable config_back_cf_table[] = { ...@@ -812,7 +812,7 @@ static ConfigTable config_back_cf_table[] = {
"EQUALITY caseExactMatch " "EQUALITY caseExactMatch "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "TLSCRLCheck", NULL, 2, 2, 0, { "TLSCRLCheck", NULL, 2, 2, 0,
#if defined(HAVE_TLS) && defined(HAVE_OPENSSL_CRL) #if defined(HAVE_TLS) && defined(HAVE_OPENSSL)
CFG_TLS_CRLCHECK|ARG_STRING|ARG_MAGIC, &config_tls_config, CFG_TLS_CRLCHECK|ARG_STRING|ARG_MAGIC, &config_tls_config,
#else #else
ARG_IGNORED, NULL, ARG_IGNORED, NULL,
......
...@@ -1492,7 +1492,7 @@ static slap_cf_aux_table bindkey[] = { ...@@ -1492,7 +1492,7 @@ static slap_cf_aux_table bindkey[] = {
{ BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL }, { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
{ BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL }, { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
{ BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL }, { BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL },
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
{ BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL }, { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
#endif #endif
#endif #endif
...@@ -1873,7 +1873,7 @@ void bindconf_free( slap_bindconf *bc ) { ...@@ -1873,7 +1873,7 @@ void bindconf_free( slap_bindconf *bc ) {
ch_free( bc->sb_tls_ecname ); ch_free( bc->sb_tls_ecname );
bc->sb_tls_ecname = NULL; bc->sb_tls_ecname = NULL;
} }
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
if ( bc->sb_tls_crlcheck ) { if ( bc->sb_tls_crlcheck ) {
ch_free( bc->sb_tls_crlcheck ); ch_free( bc->sb_tls_crlcheck );
bc->sb_tls_crlcheck = NULL; bc->sb_tls_crlcheck = NULL;
...@@ -1913,7 +1913,7 @@ bindconf_tls_defaults( slap_bindconf *bc ) ...@@ -1913,7 +1913,7 @@ bindconf_tls_defaults( slap_bindconf *bc )
if ( !bc->sb_tls_ecname ) if ( !bc->sb_tls_ecname )
slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME, slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME,
&bc->sb_tls_ecname ); &bc->sb_tls_ecname );
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
if ( !bc->sb_tls_crlcheck ) if ( !bc->sb_tls_crlcheck )
slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK, slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
&bc->sb_tls_crlcheck ); &bc->sb_tls_crlcheck );
...@@ -1986,7 +1986,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) ...@@ -1986,7 +1986,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
res = -1; res = -1;
} }
} }
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
if ( bc->sb_tls_crlcheck ) { if ( bc->sb_tls_crlcheck ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK, rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
bc->sb_tls_crlcheck ); bc->sb_tls_crlcheck );
......
...@@ -1655,7 +1655,7 @@ typedef struct slap_bindconf { ...@@ -1655,7 +1655,7 @@ typedef struct slap_bindconf {
char *sb_tls_cipher_suite; char *sb_tls_cipher_suite;
char *sb_tls_protocol_min; char *sb_tls_protocol_min;
char *sb_tls_ecname; char *sb_tls_ecname;
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
char *sb_tls_crlcheck; char *sb_tls_crlcheck;
#endif #endif
int sb_tls_do_init; int sb_tls_do_init;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment