This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit a8f07805eb0bd8897239c7a8f8a4581ffd3fb2c9
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed May 25 19:04:26 2022 +0100
Remove conditional compilation expressions for OpenSSL versions before 3
---
native/include/ssl_private.h | 8 +--
native/src/ssl.c | 42 +++++--------
native/src/sslcontext.c | 144 ++++++-------------------------------------
native/src/sslutils.c | 11 ----
4 files changed, 39 insertions(+), 166 deletions(-)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 4d99ece20..be0c7d563 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -214,8 +214,8 @@ extern ENGINE *tcn_ssl_engine;
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
-/* OpenSSL 1.0.2 compatibility */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+/* LibreSSL compatibility */
+#if defined(LIBRESSL_VERSION_NUMBER)
#define OpenSSL_version SSLeay_version
#define OpenSSL_version_num SSLeay
#define OPENSSL_VERSION SSLEAY_VERSION
@@ -240,7 +240,7 @@ extern ENGINE *tcn_ssl_engine;
#define TLS_method SSLv23_method
#define TLS_client_method SSLv23_client_method
#define TLS_server_method SSLv23_server_method
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L ||
defined(LIBRESSL_VERSION_NUMBER) */
+#endif /* defined(LIBRESSL_VERSION_NUMBER) */
#define MAX_ALPN_PROTO_SIZE 65535
#define SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL 1
@@ -390,7 +390,7 @@ int SSL_rand_seed(const char *file);
int SSL_callback_alpn_select_proto(SSL *, const unsigned char **,
unsigned char *, const unsigned char *, unsigned int, void *);
void SSL_callback_add_keylog(SSL_CTX *);
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER))
&& ! (defined(WIN32) || defined(WIN64))
+#if defined(LIBRESSL_VERSION_NUMBER) && ! (defined(WIN32) || defined(WIN64))
unsigned long SSL_ERR_get(void);
void SSL_ERR_clear(void);
#else
diff --git a/native/src/ssl.c b/native/src/ssl.c
index fa8209cbe..d6f19ef44 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -43,7 +43,7 @@ static void ssl_keylog_callback(const SSL *ssl, const char
*line)
static jclass byteArrayClass;
static jclass stringClass;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
/* Global reference to the pool used by the dynamic mutexes */
static apr_pool_t *dynlockpool = NULL;
@@ -207,8 +207,8 @@ static const jint supported_ssl_opts = 0
#endif
| 0;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-/* OpenSSL Pre-1.1.0 compatibility */
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* LibreSSL compatibility */
/* Taken from OpenSSL 1.1.0 snapshot 20160410 */
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
{
@@ -316,7 +316,7 @@ DH *SSL_get_dh_params(unsigned keylen)
return NULL; /* impossible to reach. */
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
static void init_bio_methods(void);
static void free_bio_methods(void);
#endif
@@ -344,7 +344,7 @@ static apr_status_t ssl_init_cleanup(void *data)
return APR_SUCCESS;
ssl_initialized = 0;
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER))
&& ! (defined(WIN32) || defined(WIN64))
+#if defined(LIBRESSL_VERSION_NUMBER) && ! (defined(WIN32) || defined(WIN64))
if (threadkey_initialized) {
threadkey_initialized = 0;
apr_threadkey_private_delete(thread_exit_key);
@@ -357,7 +357,7 @@ static apr_status_t ssl_init_cleanup(void *data)
tcn_password_callback.cb.obj);
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
free_bio_methods();
#endif
free_dh_params();
@@ -370,7 +370,7 @@ static apr_status_t ssl_init_cleanup(void *data)
}
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/* Openssl v1.1+ handles all termination automatically. Do
* nothing in this case.
*/
@@ -378,9 +378,6 @@ static apr_status_t ssl_init_cleanup(void *data)
/*
* Try to kill the internals of the SSL library.
*/
-#ifdef OPENSSL_FIPS
- FIPS_mode_set(0);
-#endif
/* Corresponds to OPENSSL_load_builtin_modules() */
CONF_modules_free();
/* Corresponds to SSL_library_init: */
@@ -392,9 +389,7 @@ static apr_status_t ssl_init_cleanup(void *data)
SSL_COMP_free_compression_methods();
#endif
CRYPTO_cleanup_all_ex_data();
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
ERR_remove_thread_state(NULL);
-#endif
#endif
if (key_log_file) {
@@ -431,10 +426,10 @@ static ENGINE *ssl_try_load_engine(const char *engine)
#endif
/*
- * To ensure thread-safetyness in OpenSSL
+ * To ensure thread-safetyness in LibreSSL
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
static apr_thread_mutex_t **ssl_lock_cs;
static int ssl_lock_num_locks;
@@ -459,7 +454,7 @@ static unsigned long ssl_thread_id(void)
return (unsigned long)tcn_get_thread_id();
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
#if ! (defined(WIN32) || defined(WIN64))
void SSL_thread_exit(void) {
ERR_remove_thread_state(NULL);
@@ -746,7 +741,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS,
jstring engine)
{
jclass clazz;
jclass sClazz;
-#if !defined(OPENSSL_NO_ENGINE) || OPENSSL_VERSION_NUMBER < 0x10100000L
+#if !defined(OPENSSL_NO_ENGINE)
apr_status_t err = APR_SUCCESS;
#endif
@@ -763,7 +758,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS,
jstring engine)
TCN_FREE_CSTRING(engine);
return (jint)APR_SUCCESS;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/* Openssl v1.1+ handles all initialisation automatically, apart
* from hints as to how we want to use the library.
*
@@ -837,7 +832,7 @@ TCN_IMPLEMENT_CALL(jint, SSL, initialize)(TCN_STDARGS,
jstring engine)
SSL_init_app_data_idx();
init_dh_params();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
init_bio_methods();
#endif
@@ -1013,13 +1008,6 @@ static int jbs_new(BIO *bi)
j->refcount = 1;
BIO_set_shutdown(bi, 1);
BIO_set_init(bi, 0);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- /* No setter method for OpenSSL 1.1.0 available,
- * but I can't find any functional use of the
- * "num" field there either.
- */
- bi->num = -1;
-#endif
BIO_set_data(bi, (void *)j);
return 1;
@@ -1149,7 +1137,7 @@ static long jbs_ctrl(BIO *b, int cmd, long num, void *ptr)
return ret;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
static BIO_METHOD jbs_methods = {
BIO_TYPE_FILE,
"Java Callback",
@@ -1185,7 +1173,7 @@ static void free_bio_methods(void)
static BIO_METHOD *BIO_jbs()
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
return(&jbs_methods);
#else
return jbs_methods;
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 80a252021..348725499 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -129,7 +129,7 @@ int ssl_callback_ServerNameIndication(SSL *ssl, int *al,
tcn_ssl_ctxt_t *c)
return SSL_TLSEXT_ERR_OK;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/*
* This callback function is called when the ClientHello is received.
*/
@@ -225,7 +225,7 @@ give_up:
}
return SSL_CLIENT_HELLO_SUCCESS;
}
-#endif /* OPENSSL_VERSION_NUMBER < 0x10101000L */
+#endif
/* Initialize server context */
TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
@@ -236,9 +236,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
SSL_CTX *ctx = NULL;
jclass clazz;
jclass sClazz;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
jint prot;
-#endif
UNREFERENCED(o);
if (protocol == SSL_PROTOCOL_NONE) {
@@ -246,73 +244,12 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
goto init_failed;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (protocol == SSL_PROTOCOL_TLSV1_3) {
-#ifdef HAVE_TLSV1_3
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_3_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_3_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_3_method());
-#endif
- } else if (protocol == SSL_PROTOCOL_TLSV1_2) {
-#ifdef HAVE_TLSV1_2
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_2_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_2_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_2_method());
-#endif
- } else if (protocol == SSL_PROTOCOL_TLSV1_1) {
-#ifdef HAVE_TLSV1_1
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_1_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_1_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_1_method());
-#endif
- } else if (protocol == SSL_PROTOCOL_TLSV1) {
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLSv1_server_method());
- else
- ctx = SSL_CTX_new(TLSv1_method());
- } else if (protocol == SSL_PROTOCOL_SSLV3) {
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(SSLv3_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(SSLv3_server_method());
- else
- ctx = SSL_CTX_new(SSLv3_method());
- } else if (protocol == SSL_PROTOCOL_SSLV2) {
- /* requested but not supported */
-#ifndef HAVE_TLSV1_3
- } else if (protocol & SSL_PROTOCOL_TLSV1_3) {
- /* requested but not supported */
-#endif
-#ifndef HAVE_TLSV1_2
- } else if (protocol & SSL_PROTOCOL_TLSV1_2) {
- /* requested but not supported */
-#endif
-#ifndef HAVE_TLSV1_1
- } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
- /* requested but not supported */
-#endif
- } else {
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLS_client_method());
- else if (mode == SSL_MODE_SERVER)
- ctx = SSL_CTX_new(TLS_server_method());
- else
- ctx = SSL_CTX_new(TLS_method());
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- }
-#endif
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(TLS_client_method());
+ else if (mode == SSL_MODE_SERVER)
+ ctx = SSL_CTX_new(TLS_server_method());
+ else
+ ctx = SSL_CTX_new(TLS_method());
if (!ctx) {
char err[256];
@@ -336,7 +273,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
if (!(protocol & SSL_PROTOCOL_SSLV3))
@@ -356,7 +293,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_3);
#endif
-#else /* if OPENSSL_VERSION_NUMBER < 0x10100000L ||
defined(LIBRESSL_VERSION_NUMBER) */
+#else
/* We first determine the maximum protocol version we should provide */
#ifdef HAVE_TLSV1_3
if (protocol & SSL_PROTOCOL_TLSV1_3) {
@@ -396,7 +333,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
prot = SSL3_VERSION;
}
SSL_CTX_set_min_proto_version(ctx, prot);
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif
/*
* Configure additional context ingredients
@@ -463,7 +400,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
SSL_CTX_set_tlsext_servername_callback(c->ctx,
ssl_callback_ServerNameIndication);
SSL_CTX_set_tlsext_servername_arg(c->ctx, c);
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(LIBRESSL_VERSION_NUMBER)
/*
* The ClientHello callback also allows to retrieve the SNI, but since it
* runs at the earliest possible connection stage we can even set the TLS
@@ -640,7 +577,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
const char *name;
int i;
jstring c_name;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
SSL *ssl;
#endif
@@ -651,9 +588,9 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
return NULL;
}
- /* Before OpenSSL 1.1.0, get_ciphers() was only available
+ /* For LibreSSL get_ciphers() iss only available
* on an SSL, not for an SSL_CTX. */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
ssl = SSL_new(c->ctx);
if (ssl == NULL) {
tcn_ThrowException(e, "could not create temporary ssl from ssl
context");
@@ -667,7 +604,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
len = sk_SSL_CIPHER_num(sk);
if (len <= 0) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
SSL_free(ssl);
#endif
return NULL;
@@ -682,7 +619,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSLContext,
getCiphers)(TCN_STDARGS, jlong ctx)
c_name = (*e)->NewStringUTF(e, name);
(*e)->SetObjectArrayElement(e, array, i, c_name);
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
SSL_free(ssl);
#endif
return array;
@@ -1201,21 +1138,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificate)(TCN_STDARGS, jlong ctx,
(eckey = EC_KEY_new_by_curve_name(nid))) {
SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
}
- /*
- * ...otherwise, enable auto curve selection (OpenSSL 1.0.2)
- * or configure NIST P-256 (required to enable ECDHE for earlier versions)
- * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
- */
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- else {
-#if defined(SSL_CTX_set_ecdh_auto)
- SSL_CTX_set_ecdh_auto(c->ctx, 1);
-#else
- eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
-#endif
- }
-#endif
+
/* OpenSSL assures us that _free() is NULL-safe */
EC_KEY_free(eckey);
EC_GROUP_free(ecparams);
@@ -1328,15 +1251,6 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCertificateRaw)(TCN_STDARGS, jlong c
/*
* TODO try to read the ECDH curve name from somewhere...
*/
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-#if defined(SSL_CTX_set_ecdh_auto)
- SSL_CTX_set_ecdh_auto(c->ctx, 1);
-#else
- eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
- EC_KEY_free(eckey);
-#endif
-#endif
#endif
SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
cleanup:
@@ -1825,7 +1739,7 @@ TCN_IMPLEMENT_CALL(void, SSLContext,
setSessionTicketKeys)(TCN_STDARGS, jlong ct
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
/*
* Adapted from OpenSSL:
@@ -1925,7 +1839,7 @@ static const char* SSL_CIPHER_authentication_method(const
SSL_CIPHER* cipher){
if (cipher == NULL) {
return "UNKNOWN";
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
kx = cipher->algorithm_mkey;
auth = cipher->algorithm_auth;
#else
@@ -1937,12 +1851,6 @@ static const char*
SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher){
{
case TCN_SSL_kRSA:
return SSL_TXT_RSA;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- case TCN_SSL_kDHr:
- return SSL_TXT_DH "_" SSL_TXT_RSA;
- case TCN_SSL_kDHd:
- return SSL_TXT_DH "_" SSL_TXT_DSS;
-#endif
case TCN_SSL_kDHE:
switch (auth)
{
@@ -1955,14 +1863,6 @@ static const char*
SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher){
default:
return "UNKNOWN";
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- case TCN_SSL_kKRB5:
- return SSL_TXT_KRB5;
- case TCN_SSL_kECDHr:
- return SSL_TXT_ECDH "_" SSL_TXT_RSA;
- case TCN_SSL_kECDHe:
- return SSL_TXT_ECDH "_" SSL_TXT_ECDSA;
-#endif
case TCN_SSL_kECDHE:
switch (auth)
{
@@ -1981,9 +1881,6 @@ static const char* SSL_CIPHER_authentication_method(const
SSL_CIPHER* cipher){
}
static const char* SSL_authentication_method(const SSL* ssl) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- return SSL_CIPHER_authentication_method(ssl->s3->tmp.new_cipher);
-#else
/* XXX ssl->s3->tmp.new_cipher is no longer available in OpenSSL 1.1.0 */
/*
https://github.com/netty/netty-tcnative/blob/1.1.33/openssl-dynamic/src/main/c/sslcontext.c
* contains a different method, but I think this is not correct.
@@ -1992,7 +1889,6 @@ static const char* SSL_authentication_method(const SSL*
ssl) {
/* Not sure whether SSL_get_current_cipher(ssl) returns something useful
* at the point in time we call it. */
return SSL_CIPHER_authentication_method(SSL_get_current_cipher(ssl));
-#endif
}
/* Android end */
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index e2118a923..caa9d5a9a 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -524,15 +524,11 @@ static int ssl_verify_OCSP(X509_STORE_CTX *ctx)
* may yield NULL. Return early, but leave the ctx error as is. */
return OCSP_STATUS_UNKNOWN;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
-#else
/* No need to check cert->valid, because ssl_verify_OCSP() only
* is called if OpenSSL already successfully verified the certificate
* (parameter "ok" in SSL_callback_SSL_verify() must be true).
*/
else if (X509_check_issued(cert,cert) == X509_V_OK) {
-#endif
/* don't do OCSP checking for valid self-issued certs */
X509_STORE_CTX_set_error(ctx, X509_V_OK);
return OCSP_STATUS_UNKNOWN;
@@ -845,9 +841,6 @@ static OCSP_RESPONSE *parse_ocsp_resp(char *buf, int len)
BIO_write(mem, buf, len); /* write the buffer to the bio */
if (BIO_gets(mem, tmpbuf, 512) <= 0) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
-#endif
goto err;
}
/* Parse the HTTP response. This will look like this:
@@ -973,11 +966,7 @@ static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p,
X509 *cert, X509 *issuer,
int ok = 0;
apr_socket_t *apr_sock = NULL;
apr_pool_t *mp;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- if (OCSP_parse_url(url, &hostname, &c_port, &path, &use_ssl) == 0)
-#else
if (OSSL_HTTP_parse_url(url, &use_ssl, NULL, &hostname, &c_port, NULL,
&path, NULL, NULL) == 0)
-#endif
goto end;
if (sscanf(c_port, "%d", &port) != 1)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
