[glib-networking/mcatanzaro/openssl-1.0.2: 2/2] Require OpenSSL 1.0.2

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib-networking/mcatanzaro/openssl-1.0.2: 2/2] Require OpenSSL 1.0.2
Date: Fri, 25 Jun 2021 20:05:01 +0000 (UTC)

commit 6c706b65679ca40c71d343f232539c8b556e26c7
Author: Michael Catanzaro <mcatanzaro redhat com>
Date:   Fri Jun 25 13:15:04 2021 -0500

    Require OpenSSL 1.0.2
    
    This bumps our minimum required OpenSSL from 1.0.1 to 1.0.2. Yippee!
    Unfortunately most of our preprocessor guards are here to protect code
    that requires OpenSSL 1.1.0, so we have to retain most of the guards,
    but at least we can remove a few of them.
    
    There are two places where OpenSSL 1.0.2 guards are used to guard code
    that actually requires OpenSSL 1.1.0. I've updated these to properly
    require 1.1.0.
    
    This might break LibreSSL. I have not investigated to see.
    
    Fixes #166

 meson.build                                |  2 +-
 tls/openssl/gtlsclientconnection-openssl.c |  4 +-
 tls/openssl/gtlsconnection-openssl.c       |  6 ---
 tls/openssl/gtlsserverconnection-openssl.c | 69 +-----------------------------
 4 files changed, 3 insertions(+), 78 deletions(-)
---
diff --git a/meson.build b/meson.build
index bece675..65caaa4 100644
--- a/meson.build
+++ b/meson.build
@@ -92,7 +92,7 @@ if openssl_option.disabled()
   openssl_dep = []
 else
   # XXX: https://github.com/mesonbuild/meson/issues/2945
-  openssl_dep = dependency('openssl', required: false)
+  openssl_dep = dependency('openssl', version: '>= 1.0.2', required: false)
   if openssl_dep.found()
     backends += ['openssl']
   else
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index 1adb9fe..ff66e44 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -391,7 +391,7 @@ g_tls_client_connection_openssl_initable_init (GInitable       *initable,
   client->session = SSL_SESSION_new ();
 
   client->ssl_ctx = SSL_CTX_new (g_tls_connection_base_is_dtls (G_TLS_CONNECTION_BASE (client))
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
                                  ? DTLS_client_method ()
                                  : TLS_client_method ());
 #else
@@ -427,7 +427,6 @@ g_tls_client_connection_openssl_initable_init (GInitable       *initable,
 
   hostname = get_server_identity (client);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined (LIBRESSL_VERSION_NUMBER)
   if (hostname)
     {
       X509_VERIFY_PARAM *param;
@@ -437,7 +436,6 @@ g_tls_client_connection_openssl_initable_init (GInitable       *initable,
       SSL_CTX_set1_param (client->ssl_ctx, param);
       X509_VERIFY_PARAM_free (param);
     }
-#endif
 
   SSL_CTX_add_session (client->ssl_ctx, client->session);
 
diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c
index 4c49c56..9cf6ad7 100644
--- a/tls/openssl/gtlsconnection-openssl.c
+++ b/tls/openssl/gtlsconnection-openssl.c
@@ -365,7 +365,6 @@ perform_openssl_io (GTlsConnectionOpenssl  *openssl,
   return status;
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
 static int
 _openssl_alpn_select_cb (SSL                  *ssl,
                          const unsigned char **out,
@@ -482,7 +481,6 @@ g_tls_connection_openssl_prepare_handshake (GTlsConnectionBase  *tls,
       g_byte_array_unref (protocols);
     }
 }
-#endif
 
 static GTlsCertificateFlags
 g_tls_connection_openssl_verify_chain (GTlsConnectionBase       *tls,
@@ -562,7 +560,6 @@ g_tls_connection_openssl_complete_handshake (GTlsConnectionBase   *tls,
   ssl = g_tls_connection_openssl_get_ssl (G_TLS_CONNECTION_OPENSSL (tls));
   session = SSL_get_session (ssl);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
   SSL_get0_alpn_selected (ssl, &data, &len);
 
   g_tls_log_debug (tls, "negotiated ALPN protocols: [%d]%p", len, data);
@@ -572,7 +569,6 @@ g_tls_connection_openssl_complete_handshake (GTlsConnectionBase   *tls,
       g_assert (!*negotiated_protocol);
       *negotiated_protocol = g_strndup ((gchar *)data, len);
     }
-#endif
 
   *protocol_version = glib_protocol_version_from_openssl (SSL_SESSION_get_protocol_version (session));
   *ciphersuite_name = g_strdup (SSL_get_cipher_name (ssl));
@@ -1071,9 +1067,7 @@ g_tls_connection_openssl_class_init (GTlsConnectionOpensslClass *klass)
 
   object_class->finalize                                 = g_tls_connection_openssl_finalize;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
   base_class->prepare_handshake                          = g_tls_connection_openssl_prepare_handshake;
-#endif
   base_class->verify_chain                               = g_tls_connection_openssl_verify_chain;
   base_class->complete_handshake                         = g_tls_connection_openssl_complete_handshake;
   base_class->handshake_thread_safe_renegotiation_status = 
g_tls_connection_openssl_handshake_thread_safe_renegotiation_status;
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index b648be1..a9958fd 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -154,63 +154,6 @@ g_tls_server_connection_openssl_get_ssl (GTlsConnectionOpenssl *connection)
   return G_TLS_SERVER_CONNECTION_OPENSSL (connection)->ssl;
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
-static gboolean
-ssl_ctx_set_certificate (SSL_CTX          *ssl_ctx,
-                         GTlsCertificate  *cert,
-                         GError          **error)
-{
-  EVP_PKEY *key;
-  X509 *x;
-  GTlsCertificate *issuer;
-
-  key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
-
-  if (!key)
-    {
-      g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
-                           _("Certificate has no private key"));
-      return FALSE;
-    }
-
-  if (SSL_CTX_use_PrivateKey (ssl_ctx, key) <= 0)
-    {
-      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
-                   _("There is a problem with the certificate private key: %s"),
-                   ERR_error_string (ERR_get_error (), NULL));
-     return FALSE;
-    }
-
-  x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert));
-  if (SSL_CTX_use_certificate (ssl_ctx, x) <= 0)
-    {
-      g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
-                   _("There is a problem with the certificate: %s"),
-                   ERR_error_string (ERR_get_error (), NULL));
-      return FALSE;
-    }
-
-  /* Add all the issuers to create the full certificate chain */
-  for (issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (cert));
-       issuer;
-       issuer = g_tls_certificate_get_issuer (issuer))
-    {
-      X509 *issuer_x;
-
-      /* Be careful here and duplicate the certificate since the context
-      * will take the ownership
-       */
-      issuer_x = X509_dup (g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (issuer)));
-      if (!SSL_CTX_add_extra_chain_cert (ssl_ctx, issuer_x))
-        g_warning ("There was a problem adding the extra chain certificate: %s",
-                   ERR_error_string (ERR_get_error (), NULL));
-    }
-
-  return TRUE;
-}
-#endif
-
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
 static gboolean
 ssl_set_certificate (SSL              *ssl,
                      GTlsCertificate  *cert,
@@ -287,7 +230,6 @@ on_certificate_changed (GObject    *object,
   if (ssl && cert)
     ssl_set_certificate (ssl, cert, NULL);
 }
-#endif
 
 static void
 g_tls_server_connection_openssl_class_init (GTlsServerConnectionOpensslClass *klass)
@@ -420,7 +362,7 @@ g_tls_server_connection_openssl_initable_init (GInitable       *initable,
   server->session = SSL_SESSION_new ();
 
   server->ssl_ctx = SSL_CTX_new (g_tls_connection_base_is_dtls (G_TLS_CONNECTION_BASE (server))
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
                                  ? DTLS_server_method ()
                                  : TLS_server_method ());
 #else
@@ -491,11 +433,6 @@ g_tls_server_connection_openssl_initable_init (GInitable       *initable,
 
   cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (initable));
 
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
-  if (cert && !ssl_ctx_set_certificate (server->ssl_ctx, cert, error))
-    return FALSE;
-#endif
-
   server->ssl = SSL_new (server->ssl_ctx);
   if (!server->ssl)
     {
@@ -505,10 +442,8 @@ g_tls_server_connection_openssl_initable_init (GInitable       *initable,
       return FALSE;
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
   if (cert && !ssl_set_certificate (server->ssl, cert, error))
     return FALSE;
-#endif
 
   SSL_set_accept_state (server->ssl);
 
@@ -516,9 +451,7 @@ g_tls_server_connection_openssl_initable_init (GInitable       *initable,
       init (initable, cancellable, error))
     return FALSE;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
   g_signal_connect (server, "notify::certificate", G_CALLBACK (on_certificate_changed), NULL);
-#endif
 
   return TRUE;
 }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]