You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/05/31 15:30:11 UTC
[tomcat-native] branch main updated (15ec9876b -> a8f07805e)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
from 15ec9876b Remove NPN support
new b6952740d Minimum OpenSSl version is 3.0.0 is keylog callback is always available
new a8f07805e Remove conditional compilation expressions for OpenSSL versions before 3
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
native/include/ssl_private.h | 14 ++---
native/src/ssl.c | 50 +++++----------
native/src/sslcontext.c | 146 ++++++-------------------------------------
native/src/sslutils.c | 11 ----
4 files changed, 39 insertions(+), 182 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat-native] 01/02: Minimum OpenSSl version is 3.0.0 is keylog callback is always available
Posted by Rémy Maucherat <re...@apache.org>.
On Tue, May 31, 2022 at 8:02 PM Mark Thomas <ma...@apache.org> wrote:
>
> On 31/05/2022 17:59, Rémy Maucherat wrote:
> > On Tue, May 31, 2022 at 6:48 PM Mark Thomas <ma...@apache.org> wrote:
>
> <snip/>
>
> >> On that topic, I originally made the decision to keep LibreSSL support
> >> when I thought that 10.1.x would required Tomcat Native 2.0.x. The plan
> >> has since shifted and 10.1.x will ship with Tomcat Native 2.0.x but will
> >> still be able to use (a sufficiently recent) Tomcat Native 1.2.x. With
> >> that in mind, do we want to keep LibreSSL support in Tomcat Native 2.0.x?
> >
> > If tomcat-native 2.0 is fully aligned with what the Panama code does
> > (so no LibreSSL), it would be better for a future transition to it.
> > OTOH, it would force supporting 1.2 for (much) longer.
>
> Hmm. Tricky.
>
> If we assume that we need to support Tomcat Native 1.x until EOL of
> 9.0.x (due to the o.a.t.u.jni package) the we will be supporting 1.x for
> (best guess) until 2028 or so.
>
> OpenSSL 1.1.1 is EOL 2023-09-11 so there is a 4/5 year gap there.
> However, various distributions are committed to supporting OpenSSL 1.1.1
> for much longer.
>
> Looking at the various timescales, I think we should be helpful to the
> downstream distributions where we can but they are going to have to take
> on some of the maintenance work for their LTS distributions once OpenSSL
> 1.1.1 reaches EOL.
>
> So that starts to look like 1.3.x (built with OpenSSL 3.0.x) around the
> middle of next year. That should be good to Sept 2026. Not sure what
> we'd for the last few years of 9.0.x. 1.4.x built on whatever the new
> OpenSSL LTS is?
>
> Then what do we do with LibreSSL? Maintain support in the 1.x branch?
>
> Given the direction of travel (towards Panama and using OpenSSL
> directly) how much effort do we want to put into LibreSSL support?
>
> Do we want to announce an early EOL for the deprecated parts of the
> o.a.t.u.jni package with a view to removing them during the lifetime of
> 8.5.x and 9.0.x? That would simplify planning (Tomcat Native 1.2.x would
> EOL at the same time). But it would be highly unusual for us to do that
> and could cause breakage with a point release.
>
> What about LibreSSL? Are we looking towards a panama module for LibreSSL
> and then some glue code so you can swap between panama modules for
> different TLS native libraries?
>
> Lots of questions there. Nothing jumps out at me as the "obvious" plan.
> Thoughts?
Technically right now, the Panama code works with OpenSSL 1.1.1 (but
not 1.1.0), since that's what I was using on my Fedora 35 (Fedora 36
now uses OpenSSL 3.0). OTOH, by the time this code is supported, 3.0
(or more) seems like a more realistic target as we're not going to say
that it supports EOLed versions.
I believe it is possible to support 1.1.1 in tomcat-native 2.0, since
all the useful new init and TLS 1.3 capabilities are in place. I'm not
sure LibreSSL has these init changes which is why it's a problem to
support it with Panama (it's pretty verbose and error prone, also the
calls might well go away in OpenSSL eventually since they are not used
anymore).
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat-native] 01/02: Minimum OpenSSl version is 3.0.0 is keylog callback is always available
Posted by Mark Thomas <ma...@apache.org>.
On 31/05/2022 17:59, Rémy Maucherat wrote:
> On Tue, May 31, 2022 at 6:48 PM Mark Thomas <ma...@apache.org> wrote:
<snip/>
>> On that topic, I originally made the decision to keep LibreSSL support
>> when I thought that 10.1.x would required Tomcat Native 2.0.x. The plan
>> has since shifted and 10.1.x will ship with Tomcat Native 2.0.x but will
>> still be able to use (a sufficiently recent) Tomcat Native 1.2.x. With
>> that in mind, do we want to keep LibreSSL support in Tomcat Native 2.0.x?
>
> If tomcat-native 2.0 is fully aligned with what the Panama code does
> (so no LibreSSL), it would be better for a future transition to it.
> OTOH, it would force supporting 1.2 for (much) longer.
Hmm. Tricky.
If we assume that we need to support Tomcat Native 1.x until EOL of
9.0.x (due to the o.a.t.u.jni package) the we will be supporting 1.x for
(best guess) until 2028 or so.
OpenSSL 1.1.1 is EOL 2023-09-11 so there is a 4/5 year gap there.
However, various distributions are committed to supporting OpenSSL 1.1.1
for much longer.
Looking at the various timescales, I think we should be helpful to the
downstream distributions where we can but they are going to have to take
on some of the maintenance work for their LTS distributions once OpenSSL
1.1.1 reaches EOL.
So that starts to look like 1.3.x (built with OpenSSL 3.0.x) around the
middle of next year. That should be good to Sept 2026. Not sure what
we'd for the last few years of 9.0.x. 1.4.x built on whatever the new
OpenSSL LTS is?
Then what do we do with LibreSSL? Maintain support in the 1.x branch?
Given the direction of travel (towards Panama and using OpenSSL
directly) how much effort do we want to put into LibreSSL support?
Do we want to announce an early EOL for the deprecated parts of the
o.a.t.u.jni package with a view to removing them during the lifetime of
8.5.x and 9.0.x? That would simplify planning (Tomcat Native 1.2.x would
EOL at the same time). But it would be highly unusual for us to do that
and could cause breakage with a point release.
What about LibreSSL? Are we looking towards a panama module for LibreSSL
and then some glue code so you can swap between panama modules for
different TLS native libraries?
Lots of questions there. Nothing jumps out at me as the "obvious" plan.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat-native] 01/02: Minimum OpenSSl version is 3.0.0 is keylog callback is always available
Posted by Rémy Maucherat <re...@apache.org>.
On Tue, May 31, 2022 at 6:48 PM Mark Thomas <ma...@apache.org> wrote:
>
> On 31/05/2022 17:34, Christopher Schultz wrote:
> > Mark,
> >
> > On 5/31/22 11:30, markt@apache.org wrote:
> >> This is an automated email from the ASF dual-hosted git repository.
> >>
> >> markt pushed a commit to branch main
> >> in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
> >>
> >> commit b6952740dd64fa8ea7edd1764d4b14661527a0eb
> >> Author: Mark Thomas <ma...@apache.org>
> >> AuthorDate: Wed May 25 16:15:02 2022 +0100
> >>
> >> Minimum OpenSSl version is 3.0.0 is keylog callback is always
> >> available
> >
> > If the minimum version of OpenSSL is 3.0.0, then probably MANY MANY
> > #ifdefs can be removed.
> >
> > Removing the would, of course, cause lots of merge conflicts when
> > back-ports are done so it's probably not worth it. Given that (chaos),
> > I'm curious: why did you remove this one in particular?
>
> A lot look like they might need to stay - at least in some form - if we
> want to continue to support LibreSSL in Tomcat Native 2.0.x.
>
> I do have a large commit that removes a lot of unused code. I need to
> wait until Tomcat Native 1.2.34 is released before I merge that commit
> else Tomcat 10.1.x won't be able to use Tomcat Native unless you build
> Tomcat native from source.
>
> I'm generally removing stuff as I spot that it is no longer required. My
> intention is to remove everything I can. The merge conflicts might not
> be too bad...
>
> On that topic, I originally made the decision to keep LibreSSL support
> when I thought that 10.1.x would required Tomcat Native 2.0.x. The plan
> has since shifted and 10.1.x will ship with Tomcat Native 2.0.x but will
> still be able to use (a sufficiently recent) Tomcat Native 1.2.x. With
> that in mind, do we want to keep LibreSSL support in Tomcat Native 2.0.x?
If tomcat-native 2.0 is fully aligned with what the Panama code does
(so no LibreSSL), it would be better for a future transition to it.
OTOH, it would force supporting 1.2 for (much) longer.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat-native] 01/02: Minimum OpenSSl version is 3.0.0 is keylog callback is always available
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 5/31/22 12:48, Mark Thomas wrote:
> On 31/05/2022 17:34, Christopher Schultz wrote:
>> Mark,
>>
>> On 5/31/22 11:30, markt@apache.org wrote:
>>> This is an automated email from the ASF dual-hosted git repository.
>>>
>>> markt pushed a commit to branch main
>>> in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
>>>
>>> commit b6952740dd64fa8ea7edd1764d4b14661527a0eb
>>> Author: Mark Thomas <ma...@apache.org>
>>> AuthorDate: Wed May 25 16:15:02 2022 +0100
>>>
>>> Minimum OpenSSl version is 3.0.0 is keylog callback is always
>>> available
>>
>> If the minimum version of OpenSSL is 3.0.0, then probably MANY MANY
>> #ifdefs can be removed.
>>
>> Removing the would, of course, cause lots of merge conflicts when
>> back-ports are done so it's probably not worth it. Given that (chaos),
>> I'm curious: why did you remove this one in particular?
>
> A lot look like they might need to stay - at least in some form - if we
> want to continue to support LibreSSL in Tomcat Native 2.0.x.
Oh, right... there's that.
> I do have a large commit that removes a lot of unused code. I need to
> wait until Tomcat Native 1.2.34 is released before I merge that commit
> else Tomcat 10.1.x won't be able to use Tomcat Native unless you build
> Tomcat native from source.
>
> I'm generally removing stuff as I spot that it is no longer required. My
> intention is to remove everything I can. The merge conflicts might not
> be too bad...
>
> On that topic, I originally made the decision to keep LibreSSL support
> when I thought that 10.1.x would required Tomcat Native 2.0.x. The plan
> has since shifted and 10.1.x will ship with Tomcat Native 2.0.x but will
> still be able to use (a sufficiently recent) Tomcat Native 1.2.x. With
> that in mind, do we want to keep LibreSSL support in Tomcat Native 2.0.x?
IMO libressl support is a *very* nice to have. If it's not to much
trouble, I think we should try to support it. Theoretically, it has API
(ABI?) compatibility with OpenSSL (1.x) so it shouldn't be thqt bad if
we still support earlier versions OpenSSL. But since you've bumped-up
the requirement to 3.0.x... I'm not sure where that leaves us.
There is a large deployment of OpenSSL 1.x that isn't likely to change
for a while. I still see many environments on 1.0.x these days, and they
wouldn't be able to upgrade to tcnative 2, which isn't necessarily a
deal-breaker. I wouldn't want to require tcnative-2 on 10.0 or below any
time soon, possible ever. So I think there's still quite a future for
tcnative-1.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat-native] 01/02: Minimum OpenSSl version is 3.0.0 is keylog callback is always available
Posted by Mark Thomas <ma...@apache.org>.
On 31/05/2022 17:34, Christopher Schultz wrote:
> Mark,
>
> On 5/31/22 11:30, markt@apache.org wrote:
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> markt pushed a commit to branch main
>> in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
>>
>> commit b6952740dd64fa8ea7edd1764d4b14661527a0eb
>> Author: Mark Thomas <ma...@apache.org>
>> AuthorDate: Wed May 25 16:15:02 2022 +0100
>>
>> Minimum OpenSSl version is 3.0.0 is keylog callback is always
>> available
>
> If the minimum version of OpenSSL is 3.0.0, then probably MANY MANY
> #ifdefs can be removed.
>
> Removing the would, of course, cause lots of merge conflicts when
> back-ports are done so it's probably not worth it. Given that (chaos),
> I'm curious: why did you remove this one in particular?
A lot look like they might need to stay - at least in some form - if we
want to continue to support LibreSSL in Tomcat Native 2.0.x.
I do have a large commit that removes a lot of unused code. I need to
wait until Tomcat Native 1.2.34 is released before I merge that commit
else Tomcat 10.1.x won't be able to use Tomcat Native unless you build
Tomcat native from source.
I'm generally removing stuff as I spot that it is no longer required. My
intention is to remove everything I can. The merge conflicts might not
be too bad...
On that topic, I originally made the decision to keep LibreSSL support
when I thought that 10.1.x would required Tomcat Native 2.0.x. The plan
has since shifted and 10.1.x will ship with Tomcat Native 2.0.x but will
still be able to use (a sufficiently recent) Tomcat Native 1.2.x. With
that in mind, do we want to keep LibreSSL support in Tomcat Native 2.0.x?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat-native] 01/02: Minimum OpenSSl version is 3.0.0 is keylog callback is always available
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 5/31/22 11:30, markt@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
>
> commit b6952740dd64fa8ea7edd1764d4b14661527a0eb
> Author: Mark Thomas <ma...@apache.org>
> AuthorDate: Wed May 25 16:15:02 2022 +0100
>
> Minimum OpenSSl version is 3.0.0 is keylog callback is always available
If the minimum version of OpenSSL is 3.0.0, then probably MANY MANY
#ifdefs can be removed.
Removing the would, of course, cause lots of merge conflicts when
back-ports are done so it's probably not worth it. Given that (chaos),
I'm curious: why did you remove this one in particular?
-chris
> ---
> native/include/ssl_private.h | 6 ------
> native/src/ssl.c | 8 --------
> native/src/sslcontext.c | 2 --
> 3 files changed, 16 deletions(-)
>
> diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
> index fc0f6ba9b..4d99ece20 100644
> --- a/native/include/ssl_private.h
> +++ b/native/include/ssl_private.h
> @@ -242,10 +242,6 @@ extern ENGINE *tcn_ssl_engine;
> #define TLS_server_method SSLv23_server_method
> #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
>
> -#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
> -#define HAVE_KEYLOG_CALLBACK
> -#endif
> -
> #define MAX_ALPN_PROTO_SIZE 65535
> #define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1
>
> @@ -392,9 +388,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);
> int SSL_callback_SSL_verify(int, X509_STORE_CTX *);
> int SSL_rand_seed(const char *file);
> int SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *);
> -#ifdef HAVE_KEYLOG_CALLBACK
> void SSL_callback_add_keylog(SSL_CTX *);
> -#endif
>
> #if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && ! (defined(WIN32) || defined(WIN64))
> unsigned long SSL_ERR_get(void);
> diff --git a/native/src/ssl.c b/native/src/ssl.c
> index c48cb4247..fa8209cbe 100644
> --- a/native/src/ssl.c
> +++ b/native/src/ssl.c
> @@ -29,7 +29,6 @@ extern apr_pool_t *tcn_global_pool;
> ENGINE *tcn_ssl_engine = NULL;
> tcn_pass_cb_t tcn_password_callback;
>
> -#ifdef HAVE_KEYLOG_CALLBACK
> static BIO *key_log_file = NULL;
>
> static void ssl_keylog_callback(const SSL *ssl, const char *line)
> @@ -39,7 +38,6 @@ static void ssl_keylog_callback(const SSL *ssl, const char *line)
> BIO_puts(key_log_file, "\n");
> }
> }
> -#endif
>
> /* From netty-tcnative */
> static jclass byteArrayClass;
> @@ -293,14 +291,12 @@ static void free_dh_params(void)
> }
> }
>
> -#ifdef HAVE_KEYLOG_CALLBACK
> void SSL_callback_add_keylog(SSL_CTX *ctx)
> {
> if (key_log_file) {
> SSL_CTX_set_keylog_callback(ctx, ssl_keylog_callback);
> }
> }
> -#endif
>
> /* Hand out the same DH structure though once generated as we leak
> * memory otherwise and freeing the structure up after use would be
> @@ -401,12 +397,10 @@ static apr_status_t ssl_init_cleanup(void *data)
> #endif
> #endif
>
> -#ifdef HAVE_KEYLOG_CALLBACK
> if (key_log_file) {
> BIO_free(key_log_file);
> key_log_file = NULL;
> }
> -#endif
>
> /* Don't call ERR_free_strings here; ERR_load_*_strings only
> * actually load the error strings once per process due to static
> @@ -863,7 +857,6 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
> sClazz = (*e)->FindClass(e, "java/lang/String");
> stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
>
> -#ifdef HAVE_KEYLOG_CALLBACK
> if (!key_log_file) {
> char *key_log_file_name = getenv("SSLKEYLOGFILE");
> if (key_log_file_name) {
> @@ -877,7 +870,6 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
> }
> }
> }
> -#endif
>
> return (jint)APR_SUCCESS;
> }
> diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
> index b69b4480f..80a252021 100644
> --- a/native/src/sslcontext.c
> +++ b/native/src/sslcontext.c
> @@ -325,9 +325,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
> goto init_failed;
> }
>
> -#ifdef HAVE_KEYLOG_CALLBACK
> SSL_callback_add_keylog(ctx);
> -#endif
>
> c->protocol = protocol;
> c->mode = mode;
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat-native] 01/02: Minimum OpenSSl version is 3.0.0 is keylog callback is always available
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit b6952740dd64fa8ea7edd1764d4b14661527a0eb
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed May 25 16:15:02 2022 +0100
Minimum OpenSSl version is 3.0.0 is keylog callback is always available
---
native/include/ssl_private.h | 6 ------
native/src/ssl.c | 8 --------
native/src/sslcontext.c | 2 --
3 files changed, 16 deletions(-)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index fc0f6ba9b..4d99ece20 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -242,10 +242,6 @@ extern ENGINE *tcn_ssl_engine;
#define TLS_server_method SSLv23_server_method
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
-#define HAVE_KEYLOG_CALLBACK
-#endif
-
#define MAX_ALPN_PROTO_SIZE 65535
#define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1
@@ -392,9 +388,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX *, const char *, int);
int SSL_callback_SSL_verify(int, X509_STORE_CTX *);
int SSL_rand_seed(const char *file);
int SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *);
-#ifdef HAVE_KEYLOG_CALLBACK
void SSL_callback_add_keylog(SSL_CTX *);
-#endif
#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && ! (defined(WIN32) || defined(WIN64))
unsigned long SSL_ERR_get(void);
diff --git a/native/src/ssl.c b/native/src/ssl.c
index c48cb4247..fa8209cbe 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -29,7 +29,6 @@ extern apr_pool_t *tcn_global_pool;
ENGINE *tcn_ssl_engine = NULL;
tcn_pass_cb_t tcn_password_callback;
-#ifdef HAVE_KEYLOG_CALLBACK
static BIO *key_log_file = NULL;
static void ssl_keylog_callback(const SSL *ssl, const char *line)
@@ -39,7 +38,6 @@ static void ssl_keylog_callback(const SSL *ssl, const char *line)
BIO_puts(key_log_file, "\n");
}
}
-#endif
/* From netty-tcnative */
static jclass byteArrayClass;
@@ -293,14 +291,12 @@ static void free_dh_params(void)
}
}
-#ifdef HAVE_KEYLOG_CALLBACK
void SSL_callback_add_keylog(SSL_CTX *ctx)
{
if (key_log_file) {
SSL_CTX_set_keylog_callback(ctx, ssl_keylog_callback);
}
}
-#endif
/* Hand out the same DH structure though once generated as we leak
* memory otherwise and freeing the structure up after use would be
@@ -401,12 +397,10 @@ static apr_status_t ssl_init_cleanup(void *data)
#endif
#endif
-#ifdef HAVE_KEYLOG_CALLBACK
if (key_log_file) {
BIO_free(key_log_file);
key_log_file = NULL;
}
-#endif
/* Don't call ERR_free_strings here; ERR_load_*_strings only
* actually load the error strings once per process due to static
@@ -863,7 +857,6 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
sClazz = (*e)->FindClass(e, "java/lang/String");
stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
-#ifdef HAVE_KEYLOG_CALLBACK
if (!key_log_file) {
char *key_log_file_name = getenv("SSLKEYLOGFILE");
if (key_log_file_name) {
@@ -877,7 +870,6 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
}
}
}
-#endif
return (jint)APR_SUCCESS;
}
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index b69b4480f..80a252021 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -325,9 +325,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
goto init_failed;
}
-#ifdef HAVE_KEYLOG_CALLBACK
SSL_callback_add_keylog(ctx);
-#endif
c->protocol = protocol;
c->mode = mode;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat-native] 02/02: Remove conditional compilation expressions for OpenSSL versions before 3
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit a8f07805eb0bd8897239c7a8f8a4581ffd3fb2c9
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed May 25 19:04:26 2022 +0100
Remove conditional compilation expressions for OpenSSL versions before 3
---
native/include/ssl_private.h | 8 +--
native/src/ssl.c | 42 +++++--------
native/src/sslcontext.c | 144 ++++++-------------------------------------
native/src/sslutils.c | 11 ----
4 files changed, 39 insertions(+), 166 deletions(-)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 4d99ece20..be0c7d563 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -214,8 +214,8 @@ extern ENGINE *tcn_ssl_engine;
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
-/* OpenSSL 1.0.2 compatibility */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+/* LibreSSL compatibility */
+#if defined(LIBRESSL_VERSION_NUMBER)
#define OpenSSL_version SSLeay_version
#define OpenSSL_version_num SSLeay
#define OPENSSL_VERSION SSLEAY_VERSION
@@ -240,7 +240,7 @@ extern ENGINE *tcn_ssl_engine;
#define TLS_method SSLv23_method
#define TLS_client_method SSLv23_client_method
#define TLS_server_method SSLv23_server_method
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
+#endif /* defined(LIBRESSL_VERSION_NUMBER) */
#define MAX_ALPN_PROTO_SIZE 65535
#define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1
@@ -390,7 +390,7 @@ int SSL_rand_seed(const char *file);
int SSL_callback_alpn_select_proto(SSL *, const unsigned char **, unsigned char *, const unsigned char *, unsigned int, void *);
void SSL_callback_add_keylog(SSL_CTX *);
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && ! (defined(WIN32) || defined(WIN64))
+#if defined(LIBRESSL_VERSION_NUMBER) && ! (defined(WIN32) || defined(WIN64))
unsigned long SSL_ERR_get(void);
void SSL_ERR_clear(void);
#else
diff --git a/native/src/ssl.c b/native/src/ssl.c
index fa8209cbe..d6f19ef44 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -43,7 +43,7 @@ static void ssl_keylog_callback(const SSL *ssl, const char *line)
static jclass byteArrayClass;
static jclass stringClass;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
/* Global reference to the pool used by the dynamic mutexes */
static apr_pool_t *dynlockpool = NULL;
@@ -207,8 +207,8 @@ static const jint supported_ssl_opts = 0
#endif
| 0;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-/* OpenSSL Pre-1.1.0 compatibility */
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* LibreSSL compatibility */
/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
{
@@ -316,7 +316,7 @@ DH *SSL_get_dh_params(unsigned keylen)
return NULL; /* impossible to reach. */
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
static void init_bio_methods(void);
static void free_bio_methods(void);
#endif
@@ -344,7 +344,7 @@ static apr_status_t ssl_init_cleanup(void *data)
return APR_SUCCESS;
ssl_initialized = 0;
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && ! (defined(WIN32) || defined(WIN64))
+#if defined(LIBRESSL_VERSION_NUMBER) && ! (defined(WIN32) || defined(WIN64))
if (threadkey_initialized) {
threadkey_initialized = 0;
apr_threadkey_private_delete(thread_exit_key);
@@ -357,7 +357,7 @@ static apr_status_t ssl_init_cleanup(void *data)
tcn_password_callback.cb.obj);
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
free_bio_methods();
#endif
free_dh_params();
@@ -370,7 +370,7 @@ static apr_status_t ssl_init_cleanup(void *data)
}
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/* Openssl v1.1+ handles all termination automatically. Do
* nothing in this case.
*/
@@ -378,9 +378,6 @@ static apr_status_t ssl_init_cleanup(void *data)
/*
* Try to kill the internals of the SSL library.
*/
-#ifdef OPENSSL_FIPS
- FIPS_mode_set(0);
-#endif
/* Corresponds to OPENSSL_load_builtin_modules() */
CONF_modules_free();
/* Corresponds to SSL_library_init: */
@@ -392,9 +389,7 @@ static apr_status_t ssl_init_cleanup(void *data)
SSL_COMP_free_compression_methods();
#endif
CRYPTO_cleanup_all_ex_data();
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
ERR_remove_thread_state(NULL);
-#endif
#endif
if (key_log_file) {
@@ -431,10 +426,10 @@ static ENGINE *ssl_try_load_engine(const char *engine)
#endif
/*
- * To ensure thread-safetyness in OpenSSL
+ * To ensure thread-safetyness in LibreSSL
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
static apr_thread_mutex_t **ssl_lock_cs;
static int ssl_lock_num_locks;
@@ -459,7 +454,7 @@ static unsigned long ssl_thread_id(void)
return (unsigned long)tcn_get_thread_id();
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
#if ! (defined(WIN32) || defined(WIN64))
void SSL_thread_exit(void) {
ERR_remove_thread_state(NULL);
@@ -746,7 +741,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
{
jclass clazz;
jclass sClazz;
-#if !defined(OPENSSL_NO_ENGINE) || OPENSSL_VERSION_NUMBER < 0x10100000L
+#if !defined(OPENSSL_NO_ENGINE)
apr_status_t err = APR_SUCCESS;
#endif
@@ -763,7 +758,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
TCN_FREE_CSTRING(engine);
return (jint)APR_SUCCESS;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/* Openssl v1.1+ handles all initialisation automatically, apart
* from hints as to how we want to use the library.
*
@@ -837,7 +832,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS, jstring engine)
SSL_init_app_data_idx();
init_dh_params();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
init_bio_methods();
#endif
@@ -1013,13 +1008,6 @@ static int jbs_new(BIO *bi)
j->refcount = 1;
BIO_set_shutdown(bi, 1);
BIO_set_init(bi, 0);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- /* No setter method for OpenSSL 1.1.0 available,
- * but I can't find any functional use of the
- * "num" field there either.
- */
- bi->num = -1;
-#endif
BIO_set_data(bi, (void *)j);
return 1;
@@ -1149,7 +1137,7 @@ static long jbs_ctrl(BIO *b, int cmd, long num, void *ptr)
return ret;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
static BIO_METHOD jbs_methods = {
BIO_TYPE_FILE,
"Java Callback",
@@ -1185,7 +1173,7 @@ static void free_bio_methods(void)
static BIO_METHOD *BIO_jbs()
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
return(&jbs_methods);
#else
return jbs_methods;
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 80a252021..348725499 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -129,7 +129,7 @@ int ssl_callback_ServerNameIndication(SSL *ssl, int *al, tcn_ssl_ctxt_t *c)
return SSL_TLSEXT_ERR_OK;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/*
* This callback function is called when the ClientHello is received.
*/
@@ -225,7 +225,7 @@ give_up:
}
return SSL_CLIENT_HELLO_SUCCESS;
}
-#endif /* OPENSSL_VERSION_NUMBER < 0x10101000L */
+#endif
/* Initialize server context */
TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
@@ -236,9 +236,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
SSL_CTX *ctx = NULL;
jclass clazz;
jclass sClazz;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
jint prot;
-#endif
UNREFERENCED(o);
if (protocol == SSL_PROTOCOL_NONE) {
@@ -246,73 +244,12 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
goto init_failed;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (protocol == SSL_PROTOCOL_TLSV1_3) {
-#ifdef HAVE_TLSV1_3
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_3_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_3_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_3_method());
-#endif
- } else if (protocol == SSL_PROTOCOL_TLSV1_2) {
-#ifdef HAVE_TLSV1_2
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_2_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_2_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_2_method());
-#endif
- } else if (protocol == SSL_PROTOCOL_TLSV1_1) {
-#ifdef HAVE_TLSV1_1
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_1_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_1_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_1_method());
-#endif
- } else if (protocol == SSL_PROTOCOL_TLSV1) {
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_method());
- } else if (protocol == SSL_PROTOCOL_SSLV3) {
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(SSLv3_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(SSLv3_server_method());
- else
- ctx = SSL_CTX_new(SSLv3_method());
- } else if (protocol == SSL_PROTOCOL_SSLV2) {
- /* requested but not supported */
-#ifndef HAVE_TLSV1_3
- } else if (protocol & SSL_PROTOCOL_TLSV1_3) {
- /* requested but not supported */
-#endif
-#ifndef HAVE_TLSV1_2
- } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
- /* requested but not supported */
-#endif
-#ifndef HAVE_TLSV1_1
- } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
- /* requested but not supported */
-#endif
- } else {
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLS_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLS_server_method());
- else
- ctx = SSL_CTX_new(TLS_method());
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- }
-#endif
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(TLS_client_method());
+ else if (mode == SSL_MODE_SERVER)
+ ctx = SSL_CTX_new(TLS_server_method());
+ else
+ ctx = SSL_CTX_new(TLS_method());
if (!ctx) {
char err[256];
@@ -336,7 +273,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
if (!(protocol & SSL_PROTOCOL_SSLV3))
@@ -356,7 +293,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_3);
#endif
-#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
+#else
/* We first determine the maximum protocol version we should provide */
#ifdef HAVE_TLSV1_3
if (protocol & SSL_PROTOCOL_TLSV1_3) {
@@ -396,7 +333,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
prot = SSL3_VERSION;
}
SSL_CTX_set_min_proto_version(ctx, prot);
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif
/*
* Configure additional context ingredients
@@ -463,7 +400,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
SSL_CTX_set_tlsext_servername_callback(c->ctx, ssl_callback_ServerNameIndication);
SSL_CTX_set_tlsext_servername_arg(c->ctx, c);
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/*
* The ClientHello callback also allows to retrieve the SNI, but since it
* runs at the earliest possible connection stage we can even set the TLS
@@ -640,7 +577,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext, getCiphers)(TCN_STDARGS, jlong ctx)
const char *name;
int i;
jstring c_name;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
SSL *ssl;
#endif
@@ -651,9 +588,9 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext, getCiphers)(TCN_STDARGS, jlong ctx)
return NULL;
}
- /* Before OpenSSL 1.1.0, get_ciphers() was only available
+ /* For LibreSSL get_ciphers() iss only available
* on an SSL, not for an SSL_CTX. */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
ssl = SSL_new(c->ctx);
if (ssl == NULL) {
tcn_ThrowException(e, "could not create temporary ssl from ssl context");
@@ -667,7 +604,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext, getCiphers)(TCN_STDARGS, jlong ctx)
len = sk_SSL_CIPHER_num(sk);
if (len <= 0) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
SSL_free(ssl);
#endif
return NULL;
@@ -682,7 +619,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext, getCiphers)(TCN_STDARGS, jlong ctx)
c_name = (*e)->NewStringUTF(e, name);
(*e)->SetObjectArrayElement(e, array, i, c_name);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
SSL_free(ssl);
#endif
return array;
@@ -1201,21 +1138,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificate)(TCN_STDARGS, jlong ctx,
(eckey = EC_KEY_new_by_curve_name(nid))) {
SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
}
- /*
- * ...otherwise, enable auto curve selection (OpenSSL 1.0.2)
- * or configure NIST P-256 (required to enable ECDHE for earlier versions)
- * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
- */
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- else {
-#if defined(SSL_CTX_set_ecdh_auto)
- SSL_CTX_set_ecdh_auto(c->ctx, 1);
-#else
- eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
-#endif
- }
-#endif
+
/* OpenSSL assures us that _free() is NULL-safe */
EC_KEY_free(eckey);
EC_GROUP_free(ecparams);
@@ -1328,15 +1251,6 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCertificateRaw)(TCN_STDARGS, jlong c
/*
* TODO try to read the ECDH curve name from somewhere...
*/
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-#if defined(SSL_CTX_set_ecdh_auto)
- SSL_CTX_set_ecdh_auto(c->ctx, 1);
-#else
- eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
- EC_KEY_free(eckey);
-#endif
-#endif
#endif
SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
cleanup:
@@ -1825,7 +1739,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setSessionTicketKeys)(TCN_STDARGS, jlong ct
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
/*
* Adapted from OpenSSL:
@@ -1925,7 +1839,7 @@ static const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher){
if (cipher == NULL) {
return "UNKNOWN";
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
kx = cipher->algorithm_mkey;
auth = cipher->algorithm_auth;
#else
@@ -1937,12 +1851,6 @@ static const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher){
{
case TCN_SSL_kRSA:
return SSL_TXT_RSA;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- case TCN_SSL_kDHr:
- return SSL_TXT_DH "_" SSL_TXT_RSA;
- case TCN_SSL_kDHd:
- return SSL_TXT_DH "_" SSL_TXT_DSS;
-#endif
case TCN_SSL_kDHE:
switch (auth)
{
@@ -1955,14 +1863,6 @@ static const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher){
default:
return "UNKNOWN";
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- case TCN_SSL_kKRB5:
- return SSL_TXT_KRB5;
- case TCN_SSL_kECDHr:
- return SSL_TXT_ECDH "_" SSL_TXT_RSA;
- case TCN_SSL_kECDHe:
- return SSL_TXT_ECDH "_" SSL_TXT_ECDSA;
-#endif
case TCN_SSL_kECDHE:
switch (auth)
{
@@ -1981,9 +1881,6 @@ static const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher){
}
static const char* SSL_authentication_method(const SSL* ssl) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- return SSL_CIPHER_authentication_method(ssl->s3->tmp.new_cipher);
-#else
/* XXX ssl->s3->tmp.new_cipher is no longer available in OpenSSL 1.1.0 */
/* https://github.com/netty/netty-tcnative/blob/1.1.33/openssl-dynamic/src/main/c/sslcontext.c
* contains a different method, but I think this is not correct.
@@ -1992,7 +1889,6 @@ static const char* SSL_authentication_method(const SSL* ssl) {
/* Not sure whether SSL_get_current_cipher(ssl) returns something useful
* at the point in time we call it. */
return SSL_CIPHER_authentication_method(SSL_get_current_cipher(ssl));
-#endif
}
/* Android end */
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index e2118a923..caa9d5a9a 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -524,15 +524,11 @@ static int ssl_verify_OCSP(X509_STORE_CTX *ctx)
* may yield NULL. Return early, but leave the ctx error as is. */
return OCSP_STATUS_UNKNOWN;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
-#else
/* No need to check cert->valid, because ssl_verify_OCSP() only
* is called if OpenSSL already successfully verified the certificate
* (parameter "ok" in SSL_callback_SSL_verify() must be true).
*/
else if (X509_check_issued(cert,cert) == X509_V_OK) {
-#endif
/* don't do OCSP checking for valid self-issued certs */
X509_STORE_CTX_set_error(ctx, X509_V_OK);
return OCSP_STATUS_UNKNOWN;
@@ -845,9 +841,6 @@ static OCSP_RESPONSE *parse_ocsp_resp(char *buf, int len)
BIO_write(mem, buf, len); /* write the buffer to the bio */
if (BIO_gets(mem, tmpbuf, 512) <= 0) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
-#endif
goto err;
}
/* Parse the HTTP response. This will look like this:
@@ -973,11 +966,7 @@ static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, X509 *cert, X509 *issuer,
int ok = 0;
apr_socket_t *apr_sock = NULL;
apr_pool_t *mp;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- if (OCSP_parse_url(url, &hostname, &c_port, &path, &use_ssl) == 0)
-#else
if (OSSL_HTTP_parse_url(url, &use_ssl, NULL, &hostname, &c_port, NULL, &path, NULL, NULL) == 0)
-#endif
goto end;
if (sscanf(c_port, "%d", &port) != 1)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org