diff mbox series

[2/2] Fix tls_openssl compile on systems with OpenSSL 1.0 installed.

Message ID 1579637367-14080-2-git-send-email-greearb@candelatech.com
State Rejected
Headers show
Series [1/2] Fix wmm compile on fedora-17 (gcc 4.7.2) | expand

Commit Message

Ben Greear Jan. 21, 2020, 8:09 p.m. UTC 
From: Ben Greear <greearb@candelatech.com>

This lets me compile once more on Fedora 17 and other older
systems.

Signed-off-by: Ben Greear <greearb@candelatech.com>
---
 src/crypto/tls_openssl.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Comments

Jouni Malinen Feb. 17, 2020, 5:45 p.m. UTC | #1 
On Tue, Jan 21, 2020 at 12:09:27PM -0800, greearb@candelatech.com wrote:
> This lets me compile once more on Fedora 17 and other older
> systems.

OpenSSL 1.0.0 reached its end of life more than four years ago. I see no
point in supporting such an old version of a critical crypto library
taken into account number of known security vulnerabilities that have
been discovered since that version stopped receiving security fixes. As
of now, I do not consider anything older than OpenSSL 1.0.2 as worth
supporting and I'd point out that even 1.0.2 has reached its end of life
(but has option for paid extended support). Furthermore, version 1.1.0
is not supported either.
diff mbox series

Patch

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 9d11c8a..3fb29e3 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2682,6 +2682,7 @@  static int tls_connection_ca_cert(struct tls_data *data,
 				      (const unsigned char **) &ca_cert_blob,
 				      ca_cert_blob_len);
 		if (cert == NULL) {
+#if OPENSSL_VERSION_NUMBER >= 0x10200000L
 			BIO *bio = BIO_new_mem_buf(ca_cert_blob,
 						   ca_cert_blob_len);
 
@@ -2699,6 +2700,11 @@  static int tls_connection_ca_cert(struct tls_data *data,
 			while (ERR_get_error()) {
 				/* Ignore errors from DER conversion. */
 			}
+#else
+			tls_show_errors(MSG_WARNING, __func__,
+					"Failed to parse ca_cert_blob");
+			return -1;
+#endif
 		}
 
 		if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
@@ -5253,6 +5259,7 @@  static void openssl_debug_dump_cipher_list(SSL_CTX *ssl_ctx)
 
 
 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
+#if OPENSSL_VERSION_NUMBER >= 0x10200000L
 
 static const char * openssl_pkey_type_str(const EVP_PKEY *pkey)
 {
@@ -5312,11 +5319,13 @@  static void openssl_debug_dump_certificates(SSL_CTX *ssl_ctx)
 }
 
 #endif
+#endif
 
 
 static void openssl_debug_dump_certificate_chains(SSL_CTX *ssl_ctx)
 {
 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
+#if OPENSSL_VERSION_NUMBER >= 0x10200000L
 	int res;
 
 	for (res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
@@ -5326,6 +5335,7 @@  static void openssl_debug_dump_certificate_chains(SSL_CTX *ssl_ctx)
 
 	SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
 #endif
+#endif
 }
 
 
@@ -5660,6 +5670,10 @@  u16 tls_connection_get_cipher_suite(struct tls_connection *conn)
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
 	return SSL_CIPHER_get_protocol_id(cipher);
 #else
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	return cipher->id & 0XFFFF;
+#else
 	return SSL_CIPHER_get_id(cipher) & 0xFFFF;
 #endif
+#endif
 }