OpenVPN
openssl_compat.h
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2026 Sentyron B.V. <openvpn@sentyron.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
34#ifndef OPENSSL_COMPAT_H_
35#define OPENSSL_COMPAT_H_
36
37#ifdef HAVE_CONFIG_H
38#include "config.h"
39#endif
40
41#include "buffer.h"
42
43#include <openssl/rsa.h>
44#include <openssl/ssl.h>
45#include <openssl/x509.h>
46#include <openssl/err.h>
47
48/* Define the type of error. This is something that is less
49 * intrusive than casts everywhere */
50#if defined(OPENSSL_IS_AWSLC)
51typedef uint32_t openssl_err_t;
52typedef size_t openssl_stack_size_t;
53#define PRI_OPENSSL_STACK "zu"
54typedef uint32_t openssl_opt_t;
55#else
56typedef unsigned long openssl_err_t;
58#define PRI_OPENSSL_STACK "d"
59/* OpenSSL 4.0 actually uses bits in the upper half of the uint64_t (e.g.
60 * SSL_OP_PREFER_NO_DHE_KEX), so we really should use an uint64_t here */
61typedef uint64_t openssl_opt_t;
62#endif
63
64
65/* Functionality missing in 1.1.0 */
66#if OPENSSL_VERSION_NUMBER < 0x10101000L && !defined(ENABLE_CRYPTO_WOLFSSL)
67#define SSL_CTX_set1_groups SSL_CTX_set1_curves
68#endif
69
70/* Functionality missing in LibreSSL before 3.5 */
71#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL
72#define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
73#define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
74#endif
75
76#if defined(LIBRESSL_VERSION_NUMBER)
77#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
78#endif
79
80#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL \
81 || defined(OPENSSL_IS_AWSLC)
82#define SSL_get_peer_tmp_key SSL_get_server_tmp_key
83#endif
84
85/* Functionality missing in 1.1.1 */
86#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_NO_EC)
87
88/* Note that this is not a perfect emulation of the new function but
89 * is good enough for our case of printing certificate details during
90 * handshake */
91static inline int
92EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len)
93{
94 const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
95 if (ec == NULL)
96 {
97 return 0;
98 }
99 const EC_GROUP *group = EC_KEY_get0_group(ec);
100 int nid = EC_GROUP_get_curve_name(group);
101
102 if (nid == 0)
103 {
104 return 0;
105 }
106 const char *curve = OBJ_nid2sn(nid);
107 if (!curve)
108 {
109 curve = "(error fetching curve name)";
110 }
111
112 strncpynt(gname, curve, gname_sz);
113
114 /* strncpynt ensures null termination so just strlen is fine here */
115 *gname_len = strlen(curve);
116 return 1;
117}
118#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_NO_EC) */
119
120#if OPENSSL_VERSION_NUMBER < 0x30000000L
121#define EVP_MD_get0_name EVP_MD_name
122#define EVP_CIPHER_get0_name EVP_CIPHER_name
123#define EVP_CIPHER_CTX_get_mode EVP_CIPHER_CTX_mode
124
126#define SSL_CTX_new_ex(libctx, propq, method) SSL_CTX_new((method))
127
128/* Some safe typedefs to avoid too many ifdefs */
129typedef void OSSL_LIB_CTX;
130typedef void OSSL_PROVIDER;
131
132/* Mimics the functions but only when the default context without
133 * options is chosen */
134static inline const EVP_CIPHER *
135EVP_CIPHER_fetch(void *ctx, const char *algorithm, const char *properties)
136{
137 ASSERT(!ctx);
138 ASSERT(!properties);
139 return EVP_get_cipherbyname(algorithm);
140}
141
142static inline const EVP_MD *
143EVP_MD_fetch(void *ctx, const char *algorithm, const char *properties)
144{
145 ASSERT(!ctx);
146 ASSERT(!properties);
147 return EVP_get_digestbyname(algorithm);
148}
149
150static inline void
151EVP_CIPHER_free(const EVP_CIPHER *cipher)
152{
153 /* OpenSSL 1.1.1 and lower use only const EVP_CIPHER, nothing to free */
154}
155
156static inline void
157EVP_MD_free(const EVP_MD *md)
158{
159 /* OpenSSL 1.1.1 and lower use only const EVP_MD, nothing to free */
160}
161
162static inline openssl_err_t
163ERR_get_error_all(const char **file, int *line, const char **func, const char **data, int *flags)
164{
165 static const char *empty = "";
166 *func = empty;
167 openssl_err_t err = ERR_get_error_line_data(file, line, data, flags);
168 return err;
169}
170
171#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
172
173#if OPENSSL_VERSION_NUMBER < 0x30500000 \
174 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL)
175static inline int
176SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg)
177{
178 int peer_sig_nid;
179 if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) && peer_sig_nid != NID_undef)
180 {
181 *sigalg = OBJ_nid2sn(peer_sig_nid);
182 return 1;
183 }
184 return 0;
185}
186#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3050400fL
187/* The older LibreSSL version do not implement any variant of getting the peer
188 * signature */
189static inline int
190SSL_get0_peer_signature_name(const SSL *ssl, const char **sigalg)
191{
192 *sigalg = NULL;
193 return 0;
194}
195#endif /* if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || \
196 LIBRESSL_VERSION_NUMBER > 0x3050400fL) */
197
198#if OPENSSL_VERSION_NUMBER < 0x30200000L && OPENSSL_VERSION_NUMBER >= 0x30000000L
199static inline const char *
200SSL_get0_group_name(SSL *s)
201{
202 int nid = (int)SSL_get_negotiated_group(s);
203 return SSL_group_to_name(s, nid);
204}
205#endif
206
207/* Introduced in OpenSSL 3.6.0 */
208#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC
209#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000
210#endif
211
212#endif /* OPENSSL_COMPAT_H_ */
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:362
static openssl_err_t ERR_get_error_all(const char **file, int *line, const char **func, const char **data, int *flags)
static void EVP_CIPHER_free(const EVP_CIPHER *cipher)
void OSSL_PROVIDER
static int SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg)
static const EVP_CIPHER * EVP_CIPHER_fetch(void *ctx, const char *algorithm, const char *properties)
int openssl_stack_size_t
void OSSL_LIB_CTX
static void EVP_MD_free(const EVP_MD *md)
static const EVP_MD * EVP_MD_fetch(void *ctx, const char *algorithm, const char *properties)
unsigned long openssl_err_t
static int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len)
uint64_t openssl_opt_t
#define ASSERT(x)
Definition error.h:219