This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 1.3.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit fdd91723488cb47de3319dbee40ca31ee036dcc3
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Feb 5 09:42:50 2024 +0000
First pass at reviewing use of OPENSSL_VERSION_NUMBER
---
native/build/tcnative.m4 | 6 +-
native/include/ssl_private.h | 10 ++--
native/src/ssl.c | 37 +++++-------
native/src/sslcontext.c | 138 ++++++-------------------------------------
native/src/sslinfo.c | 2 +-
native/src/sslutils.c | 7 ---
6 files changed, 41 insertions(+), 159 deletions(-)
diff --git a/native/build/tcnative.m4 b/native/build/tcnative.m4
index 9681586ae..eee9710dc 100644
--- a/native/build/tcnative.m4
+++ b/native/build/tcnative.m4
@@ -240,16 +240,16 @@ AC_ARG_ENABLE(openssl-version-check,
[disable the OpenSSL version check])])
case "$enable_openssl_version_check" in
yes|'')
- AC_MSG_CHECKING(OpenSSL library version >= 1.0.2)
+ AC_MSG_CHECKING(OpenSSL library version >= 1.1.1)
AC_TRY_RUN([
#include <stdio.h>
#include <openssl/opensslv.h>
int main() {
- if (OPENSSL_VERSION_NUMBER >= 0x1000200fL)
+ if (OPENSSL_VERSION_NUMBER >= 0x1010100fL)
return (0);
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x (" OPENSSL_VERSION_TEXT
")\n",
OPENSSL_VERSION_NUMBER);
- printf("Require OPENSSL_VERSION_NUMBER 0x1000200f or greater (1.0.2)\n\n");
+ printf("Require OPENSSL_VERSION_NUMBER 0x1010100f or greater (1.1.1)\n\n");
return (1);
}
],
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index d90bc1f4b..286a50a04 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -217,8 +217,8 @@ extern ENGINE *tcn_ssl_engine;
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
-/* OpenSSL 1.0.2 compatibility */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+/* LibreSSL compatibility */
+#if defined(LIBRESSL_VERSION_NUMBER)
#define OpenSSL_version SSLeay_version
#define OpenSSL_version_num SSLeay
#define OPENSSL_VERSION SSLEAY_VERSION
@@ -243,9 +243,9 @@ extern ENGINE *tcn_ssl_engine;
#define TLS_method SSLv23_method
#define TLS_client_method SSLv23_client_method
#define TLS_server_method SSLv23_server_method
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L ||
defined(LIBRESSL_VERSION_NUMBER) */
+#endif /* defined(LIBRESSL_VERSION_NUMBER) */
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
#define HAVE_KEYLOG_CALLBACK
#endif
@@ -401,7 +401,7 @@ int SSL_callback_alpn_select_proto(SSL *, const
unsigned char **, unsign
void SSL_callback_add_keylog(SSL_CTX *);
#endif
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER))
&& ! (defined(WIN32) || defined(WIN64))
+#if defined(LIBRESSL_VERSION_NUMBER) && ! (defined(WIN32) || defined(WIN64))
unsigned long SSL_ERR_get(void);
void SSL_ERR_clear(void);
#else
diff --git a/native/src/ssl.c b/native/src/ssl.c
index ff716091f..a5bdaf43c 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -46,7 +46,7 @@ static void ssl_keylog_callback(const SSL *ssl, const char
*line)
static jclass byteArrayClass;
static jclass stringClass;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
/* Global reference to the pool used by the dynamic mutexes */
static apr_pool_t *dynlockpool = NULL;
@@ -210,8 +210,8 @@ static const jint supported_ssl_opts = 0
#endif
| 0;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-/* OpenSSL Pre-1.1.0 compatibility */
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* LibreSSL compatibility */
/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
{
@@ -321,7 +321,7 @@ DH *SSL_get_dh_params(unsigned keylen)
return NULL; /* impossible to reach. */
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
static void init_bio_methods(void);
static void free_bio_methods(void);
#endif
@@ -349,7 +349,7 @@ static apr_status_t ssl_init_cleanup(void *data)
return APR_SUCCESS;
ssl_initialized = 0;
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER))
&& ! (defined(WIN32) || defined(WIN64))
+#if defined(LIBRESSL_VERSION_NUMBER) && ! (defined(WIN32) || defined(WIN64))
if (threadkey_initialized) {
threadkey_initialized = 0;
apr_threadkey_private_delete(thread_exit_key);
@@ -362,7 +362,7 @@ static apr_status_t ssl_init_cleanup(void *data)
tcn_password_callback.cb.obj);
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
free_bio_methods();
#endif
free_dh_params();
@@ -375,7 +375,7 @@ static apr_status_t ssl_init_cleanup(void *data)
}
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/* Openssl v1.1+ handles all termination automatically. Do
* nothing in this case.
*/
@@ -397,7 +397,7 @@ static apr_status_t ssl_init_cleanup(void *data)
SSL_COMP_free_compression_methods();
#endif
CRYPTO_cleanup_all_ex_data();
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
ERR_remove_thread_state(NULL);
#endif
#endif
@@ -441,7 +441,7 @@ static ENGINE *ssl_try_load_engine(const char *engine)
* To ensure thread-safetyness in OpenSSL
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
static apr_thread_mutex_t **ssl_lock_cs;
static int ssl_lock_num_locks;
@@ -466,7 +466,7 @@ static unsigned long ssl_thread_id(void)
return (unsigned long)tcn_get_thread_id();
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
#if ! (defined(WIN32) || defined(WIN64))
void SSL_thread_exit(void) {
ERR_remove_thread_state(NULL);
@@ -753,7 +753,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS,
jstring engine)
{
jclass clazz;
jclass sClazz;
-#if !defined(OPENSSL_NO_ENGINE) || OPENSSL_VERSION_NUMBER < 0x10100000L
+#if !defined(OPENSSL_NO_ENGINE)
apr_status_t err = APR_SUCCESS;
#endif
@@ -770,7 +770,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS,
jstring engine)
TCN_FREE_CSTRING(engine);
return (jint)APR_SUCCESS;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/* Openssl v1.1+ handles all initialisation automatically, apart
* from hints as to how we want to use the library.
*
@@ -844,7 +844,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS,
jstring engine)
SSL_init_app_data_idx();
init_dh_params();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
init_bio_methods();
#endif
@@ -1046,13 +1046,6 @@ static int jbs_new(BIO *bi)
j->refcount = 1;
BIO_set_shutdown(bi, 1);
BIO_set_init(bi, 0);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- /* No setter method for OpenSSL 1.1.0 available,
- * but I can't find any functional use of the
- * "num" field there either.
- */
- bi->num = -1;
-#endif
BIO_set_data(bi, (void *)j);
return 1;
@@ -1182,7 +1175,7 @@ static long jbs_ctrl(BIO *b, int cmd, long num, void *ptr)
return ret;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
static BIO_METHOD jbs_methods = {
BIO_TYPE_FILE,
"Java Callback",
@@ -1218,7 +1211,7 @@ static void free_bio_methods(void)
static BIO_METHOD *BIO_jbs()
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
return(&jbs_methods);
#else
return jbs_methods;
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 36cf11ed0..a2ddf8fce 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -132,7 +132,7 @@ int ssl_callback_ServerNameIndication(SSL *ssl, int *al,
tcn_ssl_ctxt_t *c)
return SSL_TLSEXT_ERR_OK;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/*
* This callback function is called when the ClientHello is received.
*/
@@ -236,7 +236,7 @@ give_up:
return SSL_CLIENT_HELLO_SUCCESS;
}
-#endif /* OPENSSL_VERSION_NUMBER < 0x10101000L */
+#endif
/* Initialize server context */
TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
@@ -247,9 +247,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
SSL_CTX *ctx = NULL;
jclass clazz;
jclass sClazz;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
jint prot;
-#endif
UNREFERENCED(o);
if (protocol == SSL_PROTOCOL_NONE) {
@@ -257,73 +255,13 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
goto init_failed;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (protocol == SSL_PROTOCOL_TLSV1_3) {
-#ifdef HAVE_TLSV1_3
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_3_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_3_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_3_method());
-#endif
- } else if (protocol == SSL_PROTOCOL_TLSV1_2) {
-#ifdef HAVE_TLSV1_2
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_2_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_2_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_2_method());
-#endif
- } else if (protocol == SSL_PROTOCOL_TLSV1_1) {
-#ifdef HAVE_TLSV1_1
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_1_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_1_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_1_method());
-#endif
- } else if (protocol == SSL_PROTOCOL_TLSV1) {
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_method());
- } else if (protocol == SSL_PROTOCOL_SSLV3) {
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(SSLv3_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(SSLv3_server_method());
- else
- ctx = SSL_CTX_new(SSLv3_method());
- } else if (protocol == SSL_PROTOCOL_SSLV2) {
- /* requested but not supported */
-#ifndef HAVE_TLSV1_3
- } else if (protocol & SSL_PROTOCOL_TLSV1_3) {
- /* requested but not supported */
-#endif
-#ifndef HAVE_TLSV1_2
- } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
- /* requested but not supported */
-#endif
-#ifndef HAVE_TLSV1_1
- } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
- /* requested but not supported */
-#endif
+ if (mode == SSL_MODE_CLIENT) {
+ ctx = SSL_CTX_new(TLS_client_method());
+ } else if (mode == SSL_MODE_SERVER) {
+ ctx = SSL_CTX_new(TLS_server_method());
} else {
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLS_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLS_server_method());
- else
- ctx = SSL_CTX_new(TLS_method());
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ctx = SSL_CTX_new(TLS_method());
}
-#endif
if (!ctx) {
char err[256];
@@ -349,7 +287,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
if (!(protocol & SSL_PROTOCOL_SSLV3))
@@ -369,7 +307,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_3);
#endif
-#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L ||
defined(LIBRESSL_VERSION_NUMBER) */
+#else /* if defined(LIBRESSL_VERSION_NUMBER) */
/* We first determine the maximum protocol version we should provide */
#ifdef HAVE_TLSV1_3
if (protocol & SSL_PROTOCOL_TLSV1_3) {
@@ -409,7 +347,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
prot = SSL3_VERSION;
}
SSL_CTX_set_min_proto_version(ctx, prot);
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif
/*
* Configure additional context ingredients
@@ -476,7 +414,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
SSL_CTX_set_tlsext_servername_callback(c->ctx,
ssl_callback_ServerNameIndication);
SSL_CTX_set_tlsext_servername_arg(c->ctx, c);
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/*
* The ClientHello callback also allows to retrieve the SNI, but since it
* runs at the earliest possible connection stage we can even set the TLS
@@ -653,7 +591,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
const char *name;
int i;
jstring c_name;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
SSL *ssl;
#endif
@@ -666,7 +604,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
/* Before OpenSSL 1.1.0, get_ciphers() was only available
* on an SSL, not for an SSL_CTX. */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
ssl = SSL_new(c->ctx);
if (ssl == NULL) {
tcn_ThrowException(e, "could not create temporary ssl from ssl
context");
@@ -680,7 +618,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
len = sk_SSL_CIPHER_num(sk);
if (len <= 0) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
SSL_free(ssl);
#endif
return NULL;
@@ -695,7 +633,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
c_name = (*e)->NewStringUTF(e, name);
(*e)->SetObjectArrayElement(e, array, i, c_name);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
SSL_free(ssl);
#endif
return array;
@@ -1206,21 +1144,6 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
(eckey = EC_KEY_new_by_curve_name(nid))) {
SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
}
- /*
- * ...otherwise, enable auto curve selection (OpenSSL 1.0.2)
- * or configure NIST P-256 (required to enable ECDHE for earlier versions)
- * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
- */
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- else {
-#if defined(SSL_CTX_set_ecdh_auto)
- SSL_CTX_set_ecdh_auto(c->ctx, 1);
-#else
- eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
-#endif
- }
-#endif
/* OpenSSL assures us that _free() is NULL-safe */
EC_KEY_free(eckey);
EC_GROUP_free(ecparams);
@@ -1333,15 +1256,6 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificateRaw)(TCN_STDARGS, jlong c
/*
* TODO try to read the ECDH curve name from somewhere...
*/
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-#if defined(SSL_CTX_set_ecdh_auto)
- SSL_CTX_set_ecdh_auto(c->ctx, 1);
-#else
- eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
- EC_KEY_free(eckey);
-#endif
-#endif
#endif
SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
cleanup:
@@ -1850,7 +1764,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext,
setSessionTicketKeys)(TCN_STDARGS, jlong ct
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
/*
* Adapted from OpenSSL:
@@ -1950,7 +1864,7 @@ static const char* SSL_CIPHER_authentication_method(const
SSL_CIPHER* cipher){
if (cipher == NULL) {
return "UNKNOWN";
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
kx = cipher->algorithm_mkey;
auth = cipher->algorithm_auth;
#else
@@ -1962,12 +1876,6 @@ static const char*
SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher){
{
case TCN_SSL_kRSA:
return SSL_TXT_RSA;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- case TCN_SSL_kDHr:
- return SSL_TXT_DH "_" SSL_TXT_RSA;
- case TCN_SSL_kDHd:
- return SSL_TXT_DH "_" SSL_TXT_DSS;
-#endif
case TCN_SSL_kDHE:
switch (auth)
{
@@ -1980,14 +1888,6 @@ static const char*
SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher){
default:
return "UNKNOWN";
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- case TCN_SSL_kKRB5:
- return SSL_TXT_KRB5;
- case TCN_SSL_kECDHr:
- return SSL_TXT_ECDH "_" SSL_TXT_RSA;
- case TCN_SSL_kECDHe:
- return SSL_TXT_ECDH "_" SSL_TXT_ECDSA;
-#endif
case TCN_SSL_kECDHE:
switch (auth)
{
@@ -2006,9 +1906,6 @@ static const char* SSL_CIPHER_authentication_method(const
SSL_CIPHER* cipher){
}
static const char* SSL_authentication_method(const SSL* ssl) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- return SSL_CIPHER_authentication_method(ssl->s3->tmp.new_cipher);
-#else
/* XXX ssl->s3->tmp.new_cipher is no longer available in OpenSSL 1.1.0 */
/*
https://github.com/netty/netty-tcnative/blob/1.1.33/openssl-dynamic/src/main/c/sslcontext.c
* contains a different method, but I think this is not correct.
@@ -2017,7 +1914,6 @@ static const char* SSL_authentication_method(const SSL*
ssl) {
/* Not sure whether SSL_get_current_cipher(ssl) returns something useful
* at the point in time we call it. */
return SSL_CIPHER_authentication_method(SSL_get_current_cipher(ssl));
-#endif
}
/* Android end */
diff --git a/native/src/sslinfo.c b/native/src/sslinfo.c
index 68e402461..c212e9ede 100644
--- a/native/src/sslinfo.c
+++ b/native/src/sslinfo.c
@@ -182,7 +182,7 @@ static char *lookup_ssl_cert_dn(X509_NAME *xsname, int
dnidx)
ASN1_STRING *adata = X509_NAME_ENTRY_get_data(xsne);
int len = ASN1_STRING_length(adata);
result = malloc(len + 1);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
memcpy(result, ASN1_STRING_data(adata), len);
#else
memcpy(result, ASN1_STRING_get0_data(adata), len);
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index 2c6810d5e..beefb31ed 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -542,15 +542,11 @@ static int ssl_verify_OCSP(X509_STORE_CTX *ctx)
* may yield NULL. Return early, but leave the ctx error as is. */
return OCSP_STATUS_UNKNOWN;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
-#else
/* No need to check cert->valid, because ssl_verify_OCSP() only
* is called if OpenSSL already successfully verified the certificate
* (parameter "ok" in SSL_callback_SSL_verify() must be true).
*/
else if (X509_check_issued(cert,cert) == X509_V_OK) {
-#endif
/* don't do OCSP checking for valid self-issued certs */
X509_STORE_CTX_set_error(ctx, X509_V_OK);
return OCSP_STATUS_UNKNOWN;
@@ -863,9 +859,6 @@ static OCSP_RESPONSE *parse_ocsp_resp(char *buf, int len)
BIO_write(mem, buf, len); /* write the buffer to the bio */
if (BIO_gets(mem, tmpbuf, 512) <= 0) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
-#endif
goto err;
}
/* Parse the HTTP response. This will look like this:
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
