(xmlsec-openssl) Removed support for OpenSSL 1.1.0 (#721)

configure.ac

@@ -672,24 +672,14 @@ XMLSEC_CRYPTO_DISABLED_LIST=""
 dnl ==========================================================================
 dnl OpenSSL
 dnl ==========================================================================
-OPENSSL_MIN_VERSION="1.1.0"
+OPENSSL_MIN_VERSION="1.1.1"
 OPENSSL_INCLUDE_DIR="$COMMON_INCLUDE_DIR /usr/local/ssl/include"
 OPENSSL_LIB_DIR="$COMMON_LIB_DIR /usr/local/ssl/lib /usr/local/ssl/lib64"
 OPENSSL_CRYPTO_LIB="$XMLSEC_PACKAGE-openssl"
 OPENSSL_INCLUDE_MARKER="openssl/opensslv.h"
 OPENSSL_LIB_SHARED_MARKER="libcrypto$shrext"
 OPENSSL_LIB_STATIC_MARKER="libcrypto.a"
 OPENSSL_LIBS_LIST="-lcrypto"
-case $host in
-    *-*-mingw*)   OPENSSL_EXTRA_LIBS=;;
-    *-*-osf5*)    OPENSSL_EXTRA_LIBS=;;
-    *-*-openbsd*) OPENSSL_EXTRA_LIBS=;;
-    *-*-netbsd*)  OPENSSL_EXTRA_LIBS=;;
-    *-*-freebsd*|*-*-dragonfly*) OPENSSL_EXTRA_LIBS=;;
-    *-*-darwin*) OPENSSL_EXTRA_LIBS=;;
-    #FIXME: check if lib "dl" is required
-    *)            OPENSSL_EXTRA_LIBS=-ldl;;
-esac
 
 XMLSEC_NO_OPENSSL="1"
 OPENSSL_VERSION=""
@@ -791,7 +781,7 @@ fi
 
 dnl Set flags if INCLUDE_PATH or LIB_PATH are set
 if test "z$OPENSSL_FOUND" = "zyes" -a "z$OPENSSL_INCLUDE_PATH" != "z" ; then
-    OPENSSL_CFLAGS="$OPENSSL_CFLAGS -I$OPENSSL_INCLUDE_PATH -I$OPENSSL_INCLUDE_PATH/openssl"
+    OPENSSL_CFLAGS="$OPENSSL_CFLAGS -I$OPENSSL_INCLUDE_PATH"
 fi
 if test "z$OPENSSL_FOUND" = "zyes" -a "z$OPENSSL_LIB_PATH" != "z" ; then
     if test -f "$OPENSSL_LIB_PATH/$OPENSSL_LIB_SHARED_MARKER" ; then
@@ -816,6 +806,8 @@ if test "z$OPENSSL_FOUND" = "zyes" ; then
             #endif
         ],[
             OPENSSL_VERSION="LibreSSL >= 3.5"
+            OPENSSL_LIBS="-Wl,-Bstatic $OPENSSL_LIBS -Wl,-Bdynamic"
+            enable_dh=no
         ],[
             OPENSSL_VERSION=""
         ])
@@ -825,15 +817,18 @@ if test "z$OPENSSL_FOUND" = "zyes" ; then
         AC_EGREP_CPP(greater-than-minvers, [
             #include <openssl/opensslv.h>
             #include <openssl/crypto.h>
-            #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+            #if OPENSSL_VERSION_NUMBER >= 0x10100010L
             #ifdef OPENSSL_IS_BORINGSSL
             greater-than-minvers
             #endif
             #endif
         ],[
-            OPENSSL_VERSION="BoringSSL >= 1.1.0"
+            OPENSSL_VERSION="BoringSSL >= 1.1.1"
+            OPENSSL_LIBS="-Wl,-Bstatic $OPENSSL_LIBS -Wl,-Bdynamic"
             enable_ripemd160=no
             enable_dsa=no
+            enable_dh=no
+            enable_sha3=no
         ],[
             OPENSSL_VERSION=""
         ])
@@ -856,11 +851,11 @@ if test "z$OPENSSL_FOUND" = "zyes" ; then
     if test "z$OPENSSL_VERSION" = "z" ; then
         AC_EGREP_CPP(greater-than-minvers, [
             #include <openssl/opensslv.h>
-            #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+            #if OPENSSL_VERSION_NUMBER >= 0x10100010L
             greater-than-minvers
             #endif
         ],[
-            OPENSSL_VERSION="1.1.0"
+            OPENSSL_VERSION="1.1.1"
         ],[
             OPENSSL_VERSION=""
         ])

docs/index.html

@@ -75,6 +75,8 @@ <h1>XML Security Library</h1>
         <ul>
             <li>(xmlsec-core) Removed '--enable-size-t' ('size_t' for MSVC builds) option and made 'xmlSecSize' to always be the same as 'size_t'.</li>
             <li>(xmlsec-core) Removed previously deprecated functions, defines, etc.</li>
+            <li>(xmlsec-openssl) Removed support for OpenSSL 1.1.0 (<a href="https://endoflife.date/openssl">end of life in Aug 2016</a>).
+            The minimum OpenSSL supported version is 1.1.1; the version 3.0.0 or greater is recommended.</li>
             <li>Several other small fixes (see <a href="https://github.com/lsh123/xmlsec/commits/master">more details</a>).</li>
         </ul>
 	</li>

include/xmlsec/openssl/crypto.h

@@ -47,17 +47,11 @@ extern "C" {
  *******************************************************************/
 #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x30500000L
 /* LibreSSL implements (most of) OpenSSL 1.1 API */
-#define XMLSEC_OPENSSL_API_110      1
+#define XMLSEC_OPENSSL_API_111      1
 #elif OPENSSL_VERSION_NUMBER >= 0x30000000L
 #define XMLSEC_OPENSSL_API_300      1
 #elif OPENSSL_VERSION_NUMBER >= 0x10101000L
 #define XMLSEC_OPENSSL_API_111      1
-#define XMLSEC_OPENSSL_API_110      1
-#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
-#define XMLSEC_OPENSSL_API_110      1
-#if defined(_MSC_VER) || defined(__GNUC__) || defined(__clang__)
-#pragma message("Support for OpenSSL before version 1.1.1 is deprecated and will be removed in the future versions of XMLSec library")
-#endif /* defined(_MSC_VER) || defined(__GNUC__) || defined(__clang__) */
 #else  /* OPENSSL_VERSION_NUMBER */
 #error "This version of OpenSSL library is not supported"
 #endif /* OPENSSL_VERSION_NUMBER */

src/openssl/README.md

@@ -1,8 +1,7 @@
 # XMLSec Library: XMLSEC-OPENSSL
 
 ## What version of OpenSSL?
-OpenSSL 1.1.1 or later is required. Note that support for OpenSSL 1.1.0 is
-deprecated and will be removed in the future releases.
+OpenSSL 1.1.1 or later is required.
 
 Also LibreSSL (>= 3.5.0) and Boring SSL (>= 1.1.0) should work but those are
 less tested than OpenSSL.

src/openssl/app.c

@@ -46,7 +46,10 @@
 #include <openssl/engine.h>
 #include <openssl/x509_vfy.h>
 #include <openssl/x509.h>
+
+#ifndef OPENSSL_IS_BORINGSSL
 #include <openssl/ui.h>
+#endif /* OPENSSL_IS_BORINGSSL */
 
 #ifndef XMLSEC_OPENSSL_NO_STORE
 #include <openssl/store.h>
@@ -750,6 +753,7 @@ xmlSecOpenSSLAppCheckCertMatchesKey(EVP_PKEY * pKey,  X509 * cert) {
     return(1);
 }
 
+#if !defined(XMLSEC_OPENSSL_NO_STORE)
 static X509 *
 xmlSecOpenSSLAppFindKeyCert(EVP_PKEY * pKey, STACK_OF(X509) * certs) {
     X509 * cert;
@@ -783,6 +787,8 @@ xmlSecOpenSSLAppFindKeyCert(EVP_PKEY * pKey, STACK_OF(X509) * certs) {
     /* not found */
     return(NULL);
 }
+#endif /* !defined(XMLSEC_OPENSSL_NO_STORE) */
+
 #endif /* XMLSEC_NO_X509 */
 
 static xmlSecKeyPtr

src/openssl/crypto.c

@@ -364,8 +364,12 @@ xmlSecCryptoGetFunctions_openssl(void) {
 #endif /* XMLSEC_NO_SHA3 */
 
     gXmlSecOpenSSLFunctions->transformRsaPkcs1GetKlass          = xmlSecOpenSSLTransformRsaPkcs1GetKlass;
+
+#ifndef XMLSEC_OPENSSL_NO_RSA_OAEP
     gXmlSecOpenSSLFunctions->transformRsaOaepGetKlass           = xmlSecOpenSSLTransformRsaOaepGetKlass;
     gXmlSecOpenSSLFunctions->transformRsaOaepEnc11GetKlass      = xmlSecOpenSSLTransformRsaOaepEnc11GetKlass;
+#endif /* XMLSEC_OPENSSL_NO_RSA_OAEP */
+
 #endif /* XMLSEC_NO_RSA */
 
     /******************************* SHA ********************************/

src/openssl/evp.c

@@ -42,17 +42,6 @@
 #include "../cast_helpers.h"
 #include "../keysdata_helpers.h"
 
-#ifdef OPENSSL_IS_BORINGSSL
-#ifndef XMLSEC_NO_RSA
-static inline int RSA_test_flags(const RSA *r, int flags) {
-    xmlSecAssert2(r != NULL, 0);
-    return(r->flags & flags);
-}
-#endif /* XMLSEC_NO_RSA */
-
-#endif /* OPENSSL_IS_BORINGSSL */
-
-
 static int
 xmlSecOpenSSLGetBNValue(const xmlSecBufferPtr buf, BIGNUM **bigNum) {
     xmlSecByte* bufPtr;

src/openssl/kt_rsa.c

@@ -510,6 +510,7 @@ xmlSecOpenSSLRsaPkcs1Process(xmlSecTransformPtr transform) {
     return(0);
 }
 
+#ifndef XMLSEC_OPENSSL_NO_RSA_OAEP
 /**************************************************************************
  *
  * Internal OpenSSL RSA OAEP CTX
@@ -739,6 +740,9 @@ xmlSecOpenSSLRsaOaepProcessImpl(xmlSecOpenSSLRsaOaepCtxPtr ctx, const xmlSecByte
             return(-1);
         }
         xmlSecBufferFinalize(&tmp);
+
+        /* success */
+        XMLSEC_SAFE_CAST_INT_TO_SIZE(ret, (*outSize), return(-1), NULL);
     } else {
         /* decrypt */
         BIGNUM * bn;
@@ -751,7 +755,6 @@ xmlSecOpenSSLRsaOaepProcessImpl(xmlSecOpenSSLRsaOaepCtxPtr ctx, const xmlSecByte
         }
         outLen = ret;
 
-#ifndef OPENSSL_IS_BORINGSSL
         /*
          * the private decrypt w/o padding adds '0's at the beginning.
          * it's not clear for me can I simply skip all '0's from the
@@ -779,7 +782,6 @@ xmlSecOpenSSLRsaOaepProcessImpl(xmlSecOpenSSLRsaOaepCtxPtr ctx, const xmlSecByte
         }
         outLen = ret;
         BN_clear_free(bn);
-#endif /* OPENSSL_IS_BORINGSSL */
 
         ret = RSA_padding_check_PKCS1_OAEP_mgf1(
             outBuf, outLen, outBuf, outLen, keyLen,
@@ -789,10 +791,12 @@ xmlSecOpenSSLRsaOaepProcessImpl(xmlSecOpenSSLRsaOaepCtxPtr ctx, const xmlSecByte
             xmlSecOpenSSLError("RSA_padding_check_PKCS1_OAEP_mgf1",  NULL);
             return(-1);
         }
+
+        /* success */
+        XMLSEC_SAFE_CAST_INT_TO_SIZE(ret, (*outSize), return(-1), NULL);
     }
 
     /* success */
-    XMLSEC_SAFE_CAST_INT_TO_SIZE(ret, (*outSize), return(-1), NULL);
     return(0);
 }
 
@@ -1363,5 +1367,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform) {
 
     return(0);
 }
+#endif /* XMLSEC_OPENSSL_NO_RSA_OAEP */
+
 
 #endif /* XMLSEC_NO_RSA */

src/openssl/openssl_compat.h

@@ -11,57 +11,6 @@
 
 #include "../cast_helpers.h"
 
-/******************************************************************************
- *
- * OpenSSL 1.1.1
- *
- ******************************************************************************/
-#if !defined(XMLSEC_OPENSSL_API_111) && !defined(XMLSEC_OPENSSL_API_300)
-
-#define RAND_priv_bytes(buf,num)            RAND_bytes((buf),(num))
-
-#endif /* !defined(XMLSEC_OPENSSL_API_111) && !defined(XMLSEC_OPENSSL_API_300) */
-
-
-/******************************************************************************
- *
- * OpenSSL 3.0.0 compatibility
- *
- *****************************************************************************/
-#if !defined(XMLSEC_OPENSSL_API_300)
-
-/* ConcatKDF (SSKDF) key derivation algorithm is only available on OpenSSL 3.0.0 or above
- * (https://www.openssl.org/docs/man3.0/man7/EVP_KDF-SS.html)
- */
-#define XMLSEC_NO_CONCATKDF     1
-
-/* PBKDF2 key derivation algorithm is only available on OpenSSL 3.0.0 or above
- * (https://www.openssl.org/docs/man3.0/man7/EVP_KDF-PBKDF2.html)
- */
-#define XMLSEC_NO_PBKDF2        1
-
-#define BIO_new_ex(libctx,type)                                     BIO_new((type))
-#define PEM_read_bio_PrivateKey_ex(bp,x,cb,u,libctx,propq)          PEM_read_bio_PrivateKey((bp),(x),(cb),(u))
-#define PEM_read_bio_PUBKEY_ex(bp,x,cb,u,libctx,propq)              PEM_read_bio_PUBKEY((bp),(x),(cb),(u))
-#define d2i_PrivateKey_ex_bio(bp,a,libctx,propq)                    d2i_PrivateKey_bio((bp),(a))
-
-#define EVP_SignFinal_ex(ctx,md,s,pkey,libctx,propq)                EVP_SignFinal((ctx),(md),(s),(pkey))
-#define EVP_VerifyFinal_ex(ctx,sigbuf,siglen,pkey,libctx,propq)     EVP_VerifyFinal((ctx),(sigbuf),(siglen),(pkey))
-
-#define X509_new_ex(libctx,propq)                                   X509_new()
-#define X509_CRL_new_ex(libctx,propq)                               X509_CRL_new()
-#define X509_STORE_CTX_new_ex(libctx,propq)                         X509_STORE_CTX_new()
-#define X509_STORE_set_default_paths_ex(ctx,libctx,propq)           X509_STORE_set_default_paths((ctx))
-#define X509_NAME_hash_ex(x,libctx,propq,ok)                        X509_NAME_hash((x))
-
-#define RAND_priv_bytes_ex(ctx,buf,num,strength)                    xmlSecOpenSSLCompatRand((buf),(num))
-static inline int xmlSecOpenSSLCompatRand(unsigned char *buf, xmlSecSize size) {
-    int num;
-    XMLSEC_SAFE_CAST_SIZE_TO_INT(size, num, return(0), NULL);
-    return(RAND_priv_bytes(buf, num));
-}
-
-#endif /* !defined(XMLSEC_OPENSSL_API_300) */
 
 /******************************************************************************
  *
@@ -72,28 +21,32 @@ static inline int xmlSecOpenSSLCompatRand(unsigned char *buf, xmlSecSize size) {
 
 /* Not implemented by LibreSSL (yet?) */
 #define XMLSEC_OPENSSL_NO_ASN1_TIME_TO_TM   1
+#define XMLSEC_OPENSSL_NO_STORE             1
+#define XMLSEC_OPENSSL_NO_DEEP_COPY         1
+#define XMLSEC_OPENSSL_NO_CRL_VERIFICATION  1
+#define XMLSEC_OPENSSL_NO_RSA_OAEP          1
+#define XMLSEC_NO_DH                        1
+#define XMLSEC_NO_DSA                       1
+#define XMLSEC_NO_SHA3                      1
+
 
 #define ENGINE_cleanup(...)                 {}
 #define CONF_modules_unload(...)            {}
+
+#define RAND_priv_bytes(buf,len)            RAND_bytes((buf), (len))
 #define RAND_write_file(file)               (0)
 
-#define EVP_PKEY_base_id(pkey)             EVP_PKEY_id(pkey)
-#define EVP_CipherFinal(ctx, out, out_len) EVP_CipherFinal_ex(ctx, out, out_len)
+#define EVP_PKEY_base_id(pkey)              EVP_PKEY_id(pkey)
+#define EVP_CipherFinal(ctx, out, out_len)  EVP_CipherFinal_ex(ctx, out, out_len)
 #define EVP_read_pw_string(...)             (-1)
 
-#define X509_STORE_CTX_get_by_subject      X509_STORE_get_by_subject
-#define X509_OBJECT_new()                  (calloc(1, sizeof(X509_OBJECT)))
-#define X509_OBJECT_free(x)                { X509_OBJECT_free_contents(x); free(x); }
-
-/* defined in boringssl/crypto/fipsmodule/rsa/internal.h */
-int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len, size_t max_out,
-                                      const uint8_t *from, size_t from_len,
-                                      const uint8_t *param, size_t param_len,
-                                      const EVP_MD *md, const EVP_MD *mgf1md);
- int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
-                                     const unsigned char *f, int fl,
-                                     const unsigned char *p, int pl,
-                                     const EVP_MD *md, const EVP_MD *mgf1md);
+#define X509_get0_pubkey(cert)              X509_get_pubkey((cert))
+#define X509_STORE_CTX_get_by_subject       X509_STORE_get_by_subject
+
+/* simply return success */
+#define sk_X509_reserve(crts, num)          (1)
+#define sk_X509_CRL_reserve(crls, num)      (1)
+
 #endif /* OPENSSL_IS_BORINGSSL */
 
 /******************************************************************************
@@ -110,6 +63,8 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len, size_t max_
 #define XMLSEC_OPENSSL_NO_DEEP_COPY         1
 #define XMLSEC_NO_DH                        1
 
+#define RAND_priv_bytes(buf,len)            RAND_bytes((buf), (len))
+
 /* simply return success */
 #define sk_X509_reserve(crts, num)          (1)
 #define sk_X509_CRL_reserve(crls, num)      (1)
@@ -125,6 +80,47 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len, size_t max_
 #endif /* defined(LIBRESSL_VERSION_NUMBER) */
 
 
+/******************************************************************************
+ *
+ * OpenSSL 3.0.0 compatibility
+ *
+ *****************************************************************************/
+#if !defined(XMLSEC_OPENSSL_API_300)
+
+/* ConcatKDF (SSKDF) key derivation algorithm is only available on OpenSSL 3.0.0 or above
+ * (https://www.openssl.org/docs/man3.0/man7/EVP_KDF-SS.html)
+ */
+#define XMLSEC_NO_CONCATKDF     1
+
+/* PBKDF2 key derivation algorithm is only available on OpenSSL 3.0.0 or above
+ * (https://www.openssl.org/docs/man3.0/man7/EVP_KDF-PBKDF2.html)
+ */
+#define XMLSEC_NO_PBKDF2        1
+
+#define BIO_new_ex(libctx,type)                                     BIO_new((type))
+#define PEM_read_bio_PrivateKey_ex(bp,x,cb,u,libctx,propq)          PEM_read_bio_PrivateKey((bp),(x),(cb),(u))
+#define PEM_read_bio_PUBKEY_ex(bp,x,cb,u,libctx,propq)              PEM_read_bio_PUBKEY((bp),(x),(cb),(u))
+#define d2i_PrivateKey_ex_bio(bp,a,libctx,propq)                    d2i_PrivateKey_bio((bp),(a))
+
+#define EVP_SignFinal_ex(ctx,md,s,pkey,libctx,propq)                EVP_SignFinal((ctx),(md),(s),(pkey))
+#define EVP_VerifyFinal_ex(ctx,sigbuf,siglen,pkey,libctx,propq)     EVP_VerifyFinal((ctx),(sigbuf),(siglen),(pkey))
+
+#define X509_new_ex(libctx,propq)                                   X509_new()
+#define X509_CRL_new_ex(libctx,propq)                               X509_CRL_new()
+#define X509_STORE_CTX_new_ex(libctx,propq)                         X509_STORE_CTX_new()
+#define X509_STORE_set_default_paths_ex(ctx,libctx,propq)           X509_STORE_set_default_paths((ctx))
+#define X509_NAME_hash_ex(x,libctx,propq,ok)                        X509_NAME_hash((x))
+
+#define RAND_priv_bytes_ex(ctx,buf,num,strength)                    xmlSecOpenSSLCompatRand((buf),(num))
+static inline int xmlSecOpenSSLCompatRand(unsigned char *buf, xmlSecSize size) {
+    int num;
+    XMLSEC_SAFE_CAST_SIZE_TO_INT(size, num, return(0), NULL);
+    return(RAND_priv_bytes(buf, num));
+}
+
+#endif /* !defined(XMLSEC_OPENSSL_API_300) */
+
+
 /******************************************************************************
  *
  * Common constants that aren't defined anywhere.