From 5bd5ecc5b8212f71dbda6934f6baf3510d96768b Mon Sep 17 00:00:00 2001 From: Alexey Sokolov Date: Mon, 29 Jun 2026 19:19:40 +0100 Subject: [PATCH] Remove old ssl compatibility code --- CMakeLists.txt | 10 ---- include/znc/zncconfig.h.cmake.in | 1 - modules/crypt.cpp | 37 -------------- modules/schat.cpp | 7 --- src/SSLVerifyHost.cpp | 14 ++---- src/Utils.cpp | 4 -- src/main.cpp | 83 -------------------------------- 7 files changed, 4 insertions(+), 152 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index b30bfb3c..95ac2396 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -86,16 +86,6 @@ if(WANT_OPENSSL) find_package(OpenSSL 1.1.1 ${TRISTATE_OPENSSL_REQUIRED}) if(OPENSSL_FOUND) - # SSL_SESSION was made opaque in OpenSSL 1.1.0; - # LibreSSL gained that function later too. - # TODO: maybe remove this check at some point, and stop supporting old - # libssl versions - cmake_push_check_state(RESET) - set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES}) - set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) - check_cxx_symbol_exists(SSL_SESSION_get0_cipher openssl/ssl.h - HAVE_SSL_SESSION_get0_cipher) - cmake_pop_check_state() set(ZNC_CMAKE_FIND_DEPS "${ZNC_CMAKE_FIND_DEPS}\nfind_dependency(OpenSSL)") list(APPEND zncpubdeps OpenSSL::SSL) diff --git a/include/znc/zncconfig.h.cmake.in b/include/znc/zncconfig.h.cmake.in index 5253b699..f48f8f53 100644 --- a/include/znc/zncconfig.h.cmake.in +++ b/include/znc/zncconfig.h.cmake.in @@ -31,7 +31,6 @@ #define HAVE_PTHREAD 1 #cmakedefine HAVE_THREADED_DNS 1 #cmakedefine HAVE_LIBSSL 1 -#cmakedefine HAVE_SSL_SESSION_get0_cipher 1 #cmakedefine HAVE_IPV6 1 #cmakedefine HAVE_ZLIB 1 #cmakedefine HAVE_I18N 1 diff --git a/modules/crypt.cpp b/modules/crypt.cpp index ab2a3866..2797c423 100644 --- a/modules/crypt.cpp +++ b/modules/crypt.cpp @@ -68,43 +68,6 @@ class CCryptMod : public CModule { CString m_sPrivKey; CString m_sPubKey; -#if OPENSSL_VERSION_NUMBER < 0X10100000L || \ - (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02070000fL) - static int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g) { - /* If the fields p and g in dh are nullptr, the corresponding input - * parameters MUST be non-nullptr. q may remain nullptr. - */ - if (dh == nullptr || (dh->p == nullptr && p == nullptr) || - (dh->g == nullptr && g == nullptr)) - return 0; - - if (p != nullptr) { - BN_free(dh->p); - dh->p = p; - } - if (g != nullptr) { - BN_free(dh->g); - dh->g = g; - } - if (q != nullptr) { - BN_free(dh->q); - dh->q = q; - dh->length = BN_num_bits(q); - } - - return 1; - } - - static void DH_get0_key(const DH* dh, const BIGNUM** pub_key, - const BIGNUM** priv_key) { - if (dh != nullptr) { - if (pub_key != nullptr) *pub_key = dh->pub_key; - if (priv_key != nullptr) *priv_key = dh->priv_key; - } - } - -#endif - bool DH1080_gen() { /* Generate our keys on first call */ if (m_sPrivKey.empty() || m_sPubKey.empty()) { diff --git a/modules/schat.cpp b/modules/schat.cpp index b0ac7c97..d7502b98 100644 --- a/modules/schat.cpp +++ b/modules/schat.cpp @@ -25,13 +25,6 @@ #include #include -#ifndef HAVE_SSL_SESSION_get0_cipher -/* SSL_SESSION was made opaque in OpenSSL 1.1.0, cipher accessor was added 2 -weeks before the public release. -See openssl/openssl@e92813234318635639dba0168c7ef5568757449b. */ -# define SSL_SESSION_get0_cipher(pSession) ((pSession)->cipher) -#endif - using std::pair; using std::stringstream; using std::map; diff --git a/src/SSLVerifyHost.cpp b/src/SSLVerifyHost.cpp index 99b215bc..1f7daba6 100644 --- a/src/SSLVerifyHost.cpp +++ b/src/SSLVerifyHost.cpp @@ -19,12 +19,6 @@ #include #ifdef HAVE_LIBSSL -#if defined(OPENSSL_VERSION_NUMBER) && !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100007 -# define CONST_ASN1_STRING_DATA const /* 1.1.0-pre7: openssl/openssl@17ebf85abda18c3875b1ba6670fe7b393bc1f297 */ -#else -# define ASN1_STRING_get0_data( x ) ASN1_STRING_data( x ) -# define CONST_ASN1_STRING_DATA -#endif #include @@ -308,7 +302,7 @@ static HostnameValidationResult matches_common_name(const char* hostname, int common_name_loc = -1; const X509_NAME_ENTRY* common_name_entry = nullptr; const ASN1_STRING* common_name_asn1 = nullptr; - CONST_ASN1_STRING_DATA char* common_name_str = nullptr; + const char* common_name_str = nullptr; // Find the position of the CN field in the Subject field of the certificate common_name_loc = X509_NAME_get_index_by_NID( @@ -330,7 +324,7 @@ static HostnameValidationResult matches_common_name(const char* hostname, return Error; } common_name_str = - (CONST_ASN1_STRING_DATA char*)ASN1_STRING_get0_data(common_name_asn1); + (const char*)ASN1_STRING_get0_data(common_name_asn1); // Make sure there isn't an embedded NUL character in the CN if (ASN1_STRING_length(common_name_asn1) != @@ -384,8 +378,8 @@ static HostnameValidationResult matches_subject_alternative_name( if (current_name->type == GEN_DNS) { // Current name is a DNS name, let's check it - CONST_ASN1_STRING_DATA char* dns_name = - (CONST_ASN1_STRING_DATA char*)ASN1_STRING_get0_data( + const char* dns_name = + (const char*)ASN1_STRING_get0_data( current_name->d.dNSName); // Make sure there isn't an embedded NUL character in the DNS name diff --git a/src/Utils.cpp b/src/Utils.cpp index 744f61d1..bd540955 100644 --- a/src/Utils.cpp +++ b/src/Utils.cpp @@ -30,10 +30,6 @@ #include #include #include -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L)) -#define X509_getm_notBefore X509_get_notBefore -#define X509_getm_notAfter X509_get_notAfter -#endif #endif /* HAVE_LIBSSL */ #include #include diff --git a/src/main.cpp b/src/main.cpp index 34907bfe..b9ecfd67 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -19,87 +19,6 @@ #include #include -#if defined(HAVE_LIBSSL) && defined(HAVE_PTHREAD) && \ - (!defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100004) -/* Starting with version 1.1.0-pre4, OpenSSL has a new threading implementation - that doesn't need locking callbacks. - - "OpenSSL now uses a new threading API. It is no longer necessary to set - locking callbacks to use OpenSSL in a multi-threaded environment. There are - two supported threading models: pthreads and windows threads. It is also - possible to configure OpenSSL at compile time for "no-threads". The old - threading API should no longer be used. The functions have been replaced - with "no-op" compatibility macros." - - See openssl/openssl@2e52e7df518d80188c865ea3f7bb3526d14b0c08. */ -#include -#include -#include - -static std::vector> lock_cs; - -static void locking_callback(int mode, int type, const char* file, int line) { - if (mode & CRYPTO_LOCK) { - lock_cs[type]->lock(); - } else { - lock_cs[type]->unlock(); - } -} - -#if OPENSSL_VERSION_NUMBER >= 0x10000000 -static void thread_id_callback(CRYPTO_THREADID *id) { - CRYPTO_THREADID_set_numeric(id, (unsigned long)pthread_self()); -} -#else -static unsigned long thread_id_callback() { - return (unsigned long)pthread_self(); -} -#endif - -static CRYPTO_dynlock_value* dyn_create_callback(const char* file, int line) { - return (CRYPTO_dynlock_value*)new CMutex; -} - -static void dyn_lock_callback(int mode, CRYPTO_dynlock_value* dlock, - const char* file, int line) { - CMutex* mtx = (CMutex*)dlock; - - if (mode & CRYPTO_LOCK) { - mtx->lock(); - } else { - mtx->unlock(); - } -} - -static void dyn_destroy_callback(CRYPTO_dynlock_value* dlock, const char* file, - int line) { - CMutex* mtx = (CMutex*)dlock; - - delete mtx; -} - -static void thread_setup() { - lock_cs.resize(CRYPTO_num_locks()); - - for (std::unique_ptr& mtx : lock_cs) - mtx = std::unique_ptr(new CMutex()); - -#if OPENSSL_VERSION_NUMBER >= 0x10000000 - CRYPTO_THREADID_set_callback(&thread_id_callback); -#else - CRYPTO_set_id_callback(&thread_id_callback); -#endif - CRYPTO_set_locking_callback(&locking_callback); - - CRYPTO_set_dynlock_create_callback(&dyn_create_callback); - CRYPTO_set_dynlock_lock_callback(&dyn_lock_callback); - CRYPTO_set_dynlock_destroy_callback(&dyn_destroy_callback); -} - -#else -#define thread_setup() -#endif - using std::cout; using std::endl; using std::set; @@ -295,8 +214,6 @@ int main(int argc, char** argv) { CString sConfig; CString sDataDir = ""; - thread_setup(); - seedPRNG(); CDebug::SetStdoutIsTTY(isatty(1));