Commit c1411b81 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#9323 - Limit to OpenSSL 1.0.2 or later

parent 9666306d
......@@ -806,19 +806,3 @@ AC_DEFUN([OL_SASL_COMPAT],
#endif
], [ol_cv_sasl_compat=yes], [ol_cv_sasl_compat=no])])
])
dnl ====================================================================
dnl check for SSL compatibility
AC_DEFUN([OL_SSL_COMPAT],
[AC_CACHE_CHECK([OpenSSL library version (CRL checking capability)],
[ol_cv_ssl_crl_compat],[
AC_EGREP_CPP(__ssl_compat,[
#ifdef HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
#endif
/* Require 0.9.7d+ */
#if OPENSSL_VERSION_NUMBER >= 0x0090704fL
char *__ssl_compat = "0.9.7d";
#endif
], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
])
......@@ -1163,6 +1163,13 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
AC_CHECK_HEADERS(openssl/ssl.h)
if test $ac_cv_header_openssl_ssl_h = yes ; then
AC_PREPROC_IFELSE([AC_LANG_SOURCE(
[[#include <openssl/opensslv.h>]
[#if OPENSSL_VERSION_NUMBER < 0x1000200fL]
[#error "OpenSSL is too old"]
[#endif]])],
, [AC_MSG_FAILURE([OpenSSL 1.0.2a or newer required])])
AC_CHECK_LIB(ssl, SSL_CTX_set_msg_callback,
[have_openssl=yes
need_rsaref=no], [have_openssl=no],
......@@ -1191,12 +1198,6 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
else
TLS_LIBS="-lssl -lcrypto"
fi
OL_SSL_COMPAT
if test $ol_cv_ssl_crl_compat = yes ; then
AC_DEFINE(HAVE_OPENSSL_CRL, 1,
[define if you have OpenSSL with CRL checking capability])
fi
fi
fi
fi
......
......@@ -373,9 +373,6 @@
/* Define to 1 if you have the <openssl/bn.h> header file. */
#undef HAVE_OPENSSL_BN_H
/* define if you have OpenSSL with CRL checking capability */
#undef HAVE_OPENSSL_CRL
/* Define to 1 if you have the <openssl/crypto.h> header file. */
#undef HAVE_OPENSSL_CRYPTO_H
......
......@@ -126,7 +126,7 @@ static const struct ol_attribute {
{0, ATTR_TLS, "TLS_PEERKEY_HASH", NULL, LDAP_OPT_X_TLS_PEERKEY_HASH},
{0, ATTR_TLS, "TLS_ECNAME", NULL, LDAP_OPT_X_TLS_ECNAME},
#ifdef HAVE_OPENSSL_CRL
#ifdef HAVE_OPENSSL
{0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK},
#endif
#ifdef HAVE_GNUTLS
......
......@@ -629,7 +629,7 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg )
}
return ldap_pvt_tls_set_option( ld, option, &i );
}
#ifdef HAVE_OPENSSL_CRL
#ifdef HAVE_OPENSSL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
i = -1;
if ( strcasecmp( arg, "none" ) == 0 ) {
......@@ -719,7 +719,7 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case LDAP_OPT_X_TLS_REQUIRE_SAN:
*(int *)arg = lo->ldo_tls_require_san;
break;
#ifdef HAVE_OPENSSL_CRL
#ifdef HAVE_OPENSSL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
*(int *)arg = lo->ldo_tls_crlcheck;
break;
......@@ -937,7 +937,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
return 0;
}
return -1;
#ifdef HAVE_OPENSSL_CRL
#ifdef HAVE_OPENSSL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
if ( !arg ) return -1;
switch( *(int *) arg ) {
......
......@@ -46,8 +46,6 @@
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/dh.h>
#elif defined( HAVE_SSL_H )
#include <ssl.h>
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000
......@@ -244,11 +242,7 @@ tlso_destroy( void )
#if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_cleanup();
#if OPENSSL_VERSION_NUMBER < 0x10000000
ERR_remove_state(0);
#else
ERR_remove_thread_state(NULL);
#endif
ERR_free_strings();
#endif
......@@ -498,7 +492,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#if OPENSSL_VERSION_NUMBER < 0x10100000
SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
#endif
#ifdef HAVE_OPENSSL_CRL
if ( lo->ldo_tls_crlcheck ) {
X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
......@@ -508,7 +501,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL );
}
}
#endif
return 0;
}
......@@ -904,7 +896,6 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
static int
tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
{
#if OPENSSL_VERSION_NUMBER >= 0x00908000
tlso_session *s = (tlso_session *)sess;
const EVP_MD *md;
unsigned int md_len;
......@@ -944,9 +935,6 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
buf->bv_len = md_len;
return md_len;
#else
return 0;
#endif
}
static const char *
......@@ -1470,7 +1458,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
RSA *tmp_rsa;
/* FIXME: Pregenerate the key on startup */
/* FIXME: Who frees the key? */
#if OPENSSL_VERSION_NUMBER >= 0x00908000
BIGNUM *bn = BN_new();
tmp_rsa = NULL;
if ( bn ) {
......@@ -1483,9 +1470,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
}
BN_free( bn );
}
#else
tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
#endif
if ( !tmp_rsa ) {
Debug2( LDAP_DEBUG_ANY,
......
......@@ -812,7 +812,7 @@ static ConfigTable config_back_cf_table[] = {
"EQUALITY caseExactMatch "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "TLSCRLCheck", NULL, 2, 2, 0,
#if defined(HAVE_TLS) && defined(HAVE_OPENSSL_CRL)
#if defined(HAVE_TLS) && defined(HAVE_OPENSSL)
CFG_TLS_CRLCHECK|ARG_STRING|ARG_MAGIC, &config_tls_config,
#else
ARG_IGNORED, NULL,
......
......@@ -1492,7 +1492,7 @@ static slap_cf_aux_table bindkey[] = {
{ BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
{ BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
{ BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL },
#ifdef HAVE_OPENSSL_CRL
#ifdef HAVE_OPENSSL
{ BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
#endif
#endif
......@@ -1873,7 +1873,7 @@ void bindconf_free( slap_bindconf *bc ) {
ch_free( bc->sb_tls_ecname );
bc->sb_tls_ecname = NULL;
}
#ifdef HAVE_OPENSSL_CRL
#ifdef HAVE_OPENSSL
if ( bc->sb_tls_crlcheck ) {
ch_free( bc->sb_tls_crlcheck );
bc->sb_tls_crlcheck = NULL;
......@@ -1913,7 +1913,7 @@ bindconf_tls_defaults( slap_bindconf *bc )
if ( !bc->sb_tls_ecname )
slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME,
&bc->sb_tls_ecname );
#ifdef HAVE_OPENSSL_CRL
#ifdef HAVE_OPENSSL
if ( !bc->sb_tls_crlcheck )
slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
&bc->sb_tls_crlcheck );
......@@ -1986,7 +1986,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
res = -1;
}
}
#ifdef HAVE_OPENSSL_CRL
#ifdef HAVE_OPENSSL
if ( bc->sb_tls_crlcheck ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
bc->sb_tls_crlcheck );
......
......@@ -1655,7 +1655,7 @@ typedef struct slap_bindconf {
char *sb_tls_cipher_suite;
char *sb_tls_protocol_min;
char *sb_tls_ecname;
#ifdef HAVE_OPENSSL_CRL
#ifdef HAVE_OPENSSL
char *sb_tls_crlcheck;
#endif
int sb_tls_do_init;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment