OpenVPN
openssl_compat.h
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
34#ifndef OPENSSL_COMPAT_H_
35#define OPENSSL_COMPAT_H_
36
37#ifdef HAVE_CONFIG_H
38#include "config.h"
39#endif
40
41#include "buffer.h"
42
43#include <openssl/rsa.h>
44#include <openssl/ssl.h>
45#include <openssl/x509.h>
46#include <openssl/err.h>
47
48/* Functionality missing in 1.1.0 */
49#if OPENSSL_VERSION_NUMBER < 0x10101000L && !defined(ENABLE_CRYPTO_WOLFSSL)
50#define SSL_CTX_set1_groups SSL_CTX_set1_curves
51#endif
52
53/* Functionality missing in LibreSSL before 3.5 */
54#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL
60static inline void
61X509_OBJECT_free(X509_OBJECT *obj)
62{
63 if (obj)
64 {
65 X509_OBJECT_free_contents(obj);
66 OPENSSL_free(obj);
67 }
68}
69
70#define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
71#define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
72#endif
73
74#if defined(LIBRESSL_VERSION_NUMBER)
75#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
76#endif
77
78#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL \
79 || defined(OPENSSL_IS_AWSLC)
80#define SSL_get_peer_tmp_key SSL_get_server_tmp_key
81#endif
82
83/* Functionality missing in 1.1.1 */
84#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_NO_EC)
85
86/* Note that this is not a perfect emulation of the new function but
87 * is good enough for our case of printing certificate details during
88 * handshake */
89static inline int
90EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len)
91{
92 const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
93 if (ec == NULL)
94 {
95 return 0;
96 }
97 const EC_GROUP *group = EC_KEY_get0_group(ec);
98 int nid = EC_GROUP_get_curve_name(group);
99
100 if (nid == 0)
101 {
102 return 0;
103 }
104 const char *curve = OBJ_nid2sn(nid);
105 if (!curve)
106 {
107 curve = "(error fetching curve name)";
108 }
109
110 strncpynt(gname, curve, gname_sz);
111
112 /* strncpynt ensures null termination so just strlen is fine here */
113 *gname_len = strlen(curve);
114 return 1;
115}
116#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_NO_EC) */
117
118#if OPENSSL_VERSION_NUMBER < 0x30000000L
119#define EVP_MD_get0_name EVP_MD_name
120#define EVP_CIPHER_get0_name EVP_CIPHER_name
121#define EVP_CIPHER_CTX_get_mode EVP_CIPHER_CTX_mode
122
124#define SSL_CTX_new_ex(libctx, propq, method) SSL_CTX_new((method))
125
126/* Some safe typedefs to avoid too many ifdefs */
127typedef void OSSL_LIB_CTX;
128typedef void OSSL_PROVIDER;
129
130/* Mimics the functions but only when the default context without
131 * options is chosen */
132static inline const EVP_CIPHER *
133EVP_CIPHER_fetch(void *ctx, const char *algorithm, const char *properties)
134{
135 ASSERT(!ctx);
136 ASSERT(!properties);
137 return EVP_get_cipherbyname(algorithm);
138}
139
140static inline const EVP_MD *
141EVP_MD_fetch(void *ctx, const char *algorithm, const char *properties)
142{
143 ASSERT(!ctx);
144 ASSERT(!properties);
145 return EVP_get_digestbyname(algorithm);
146}
147
148static inline void
149EVP_CIPHER_free(const EVP_CIPHER *cipher)
150{
151 /* OpenSSL 1.1.1 and lower use only const EVP_CIPHER, nothing to free */
152}
153
154static inline void
155EVP_MD_free(const EVP_MD *md)
156{
157 /* OpenSSL 1.1.1 and lower use only const EVP_MD, nothing to free */
158}
159
160static inline unsigned long
161ERR_get_error_all(const char **file, int *line, const char **func, const char **data, int *flags)
162{
163 static const char *empty = "";
164 *func = empty;
165 unsigned long err = ERR_get_error_line_data(file, line, data, flags);
166 return err;
167}
168
169#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
170
171#if OPENSSL_VERSION_NUMBER < 0x30500000 \
172 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3050400fL)
173static inline int
174SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg)
175{
176 int peer_sig_nid;
177 if (SSL_get_peer_signature_nid(ssl, &peer_sig_nid) && peer_sig_nid != NID_undef)
178 {
179 *sigalg = OBJ_nid2sn(peer_sig_nid);
180 return 1;
181 }
182 return 0;
183}
184#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3050400fL
185/* The older LibreSSL version do not implement any variant of getting the peer
186 * signature */
187static inline int
188SSL_get0_peer_signature_name(const SSL *ssl, const char **sigalg)
189{
190 *sigalg = NULL;
191 return 0;
192}
193#endif /* if OPENSSL_VERSION_NUMBER < 0x30500000 && (!defined(LIBRESSL_VERSION_NUMBER) || \
194 LIBRESSL_VERSION_NUMBER > 0x3050400fL) */
195
196#if OPENSSL_VERSION_NUMBER < 0x30200000L && OPENSSL_VERSION_NUMBER >= 0x30000000L
197static inline const char *
198SSL_get0_group_name(SSL *s)
199{
200 int nid = SSL_get_negotiated_group(s);
201 return SSL_group_to_name(s, nid);
202}
203#endif
204
205#endif /* OPENSSL_COMPAT_H_ */
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
static void EVP_CIPHER_free(const EVP_CIPHER *cipher)
void OSSL_PROVIDER
static int SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg)
static const EVP_CIPHER * EVP_CIPHER_fetch(void *ctx, const char *algorithm, const char *properties)
static unsigned long ERR_get_error_all(const char **file, int *line, const char **func, const char **data, int *flags)
void OSSL_LIB_CTX
static void EVP_MD_free(const EVP_MD *md)
static const EVP_MD * EVP_MD_fetch(void *ctx, const char *algorithm, const char *properties)
static int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len)
#define ASSERT(x)
Definition error.h:217