From: Sebastian Andrzej Siewior Date: Wed, 8 Nov 2017 13:37:31 +0000 (+0100) Subject: crypto: remove support for ancient openssl X-Git-Tag: Release-9.0.6~25 X-Git-Url: https://git.sur5r.net/?p=bacula%2Fbacula;a=commitdiff_plain;h=5f20ce1dd3cd79137ae7650bf2461be8d41c1a8b crypto: remove support for ancient openssl OpenSSL 1.0.2 is still supported. Everything earlier is not so the old code for compat can be thrown away, especially the 0.9.8 support. TLSv1_method() should not be used and SSLv23_method() should be preferred because the latter supports TLS1.0…1.2 while the former _only_ tries TLS1.0. Signed-off-by: Sebastian Andrzej Siewior --- diff --git a/bacula/src/lib/crypto.c b/bacula/src/lib/crypto.c index 9f309d58e4..b4403eb456 100644 --- a/bacula/src/lib/crypto.c +++ b/bacula/src/lib/crypto.c @@ -307,12 +307,7 @@ static ASN1_OCTET_STRING *openssl_cert_keyid(X509 *cert) { const X509V3_EXT_METHOD *method; ASN1_OCTET_STRING *keyid; int i; -#if (OPENSSL_VERSION_NUMBER >= 0x0090800FL) const unsigned char *ext_value_data; -#else - unsigned char *ext_value_data; -#endif - /* Find the index to the subjectKeyIdentifier extension */ i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); @@ -331,7 +326,6 @@ static ASN1_OCTET_STRING *openssl_cert_keyid(X509 *cert) { ext_value_data = ext->value->data; -#if (OPENSSL_VERSION_NUMBER > 0x00907000L) if (method->it) { /* New style ASN1 */ @@ -345,10 +339,6 @@ static ASN1_OCTET_STRING *openssl_cert_keyid(X509 *cert) { keyid = (ASN1_OCTET_STRING *) method->d2i(NULL, &ext_value_data, ext->value->length); } -#else - keyid = (ASN1_OCTET_STRING *) method->d2i(NULL, &ext_value_data, ext->value->length); -#endif - return keyid; } @@ -783,11 +773,7 @@ crypto_error_t crypto_sign_verify(SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST SignerInfo *si; int ok, i; unsigned int sigLen; -#if (OPENSSL_VERSION_NUMBER >= 0x0090800FL) const unsigned char *sigData; -#else - unsigned char *sigData; -#endif signers = sig->sigData->signerInfo; @@ -934,11 +920,7 @@ int crypto_sign_encode(SIGNATURE *sig, uint8_t *dest, uint32_t *length) SIGNATURE *crypto_sign_decode(JCR *jcr, const uint8_t *sigData, uint32_t length) { SIGNATURE *sig; -#if (OPENSSL_VERSION_NUMBER >= 0x0090800FL) const unsigned char *p = (const unsigned char *) sigData; -#else - unsigned char *p = (unsigned char *)sigData; -#endif sig = (SIGNATURE *)malloc(sizeof(SIGNATURE)); if (!sig) { @@ -1156,11 +1138,7 @@ crypto_error_t crypto_session_decode(const uint8_t *data, uint32_t length, alist X509_KEYPAIR *keypair; STACK_OF(RecipientInfo) *recipients; crypto_error_t retval = CRYPTO_ERROR_NONE; -#if (OPENSSL_VERSION_NUMBER >= 0x0090800FL) const unsigned char *p = (const unsigned char *)data; -#else - unsigned char *p = (unsigned char *)data; -#endif /* bacula-fd.conf doesn't contains any key */ if (!keypairs) { diff --git a/bacula/src/lib/tls.c b/bacula/src/lib/tls.c index f444a276a5..992265b38a 100644 --- a/bacula/src/lib/tls.c +++ b/bacula/src/lib/tls.c @@ -118,13 +118,10 @@ TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char *ca_certdir, /* Allows SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols */ ctx->openssl = SSL_CTX_new(TLS_method()); -#elif (OPENSSL_VERSION_NUMBER >= 0x10000000L) +#else /* Allows most all protocols */ ctx->openssl = SSL_CTX_new(SSLv23_method()); -#else - /* Older method only understands TLSv1 */ - ctx->openssl = SSL_CTX_new(TLSv1_method()); #endif /* Use SSL_OP_ALL to turn on all "rather harmless" workarounds that @@ -337,11 +334,7 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host STACK_OF(CONF_VALUE) *val; CONF_VALUE *nval; void *extstr = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x0090800FL) const unsigned char *ext_value_data; -#else - unsigned char *ext_value_data; -#endif /* Get x509 extension method structure */ if (!(method = X509V3_EXT_get(ext))) { @@ -350,7 +343,6 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host ext_value_data = ext->value->data; -#if (OPENSSL_VERSION_NUMBER > 0x00907000L) if (method->it) { /* New style ASN1 */ @@ -364,10 +356,6 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host extstr = method->d2i(NULL, &ext_value_data, ext->value->length); } -#else - extstr = method->d2i(NULL, &ext_value_data, ext->value->length); -#endif - /* Iterate through to find the dNSName field(s) */ val = method->i2v(method, extstr, NULL);