Replaced explicit OpenSSL version checks with a configure time define

rapier1 · rapier1 · commit e0f87f595e21 · 2023-07-18T20:04:58.000-04:00
of WITH_OPENSSL3. This has no real functional change but it's more flexible
and easier to read.
diff --git a/cipher-chachapoly-libcrypto-mt.c b/cipher-chachapoly-libcrypto-mt.c
@@ -104,7 +104,7 @@ struct chachapoly_ctx_mt {
    * internal poly1305 methods */
 #ifdef OPENSSL_HAVE_POLY_EVP
 	EVP_MAC_CTX    *poly_ctx;
-#elif (OPENSSL_VERSION_NUMBER < 0x30000000UL) && defined(EVP_PKEY_POLY1305)
+#elif !defined(WITH_OPENSSL3) && defined(EVP_PKEY_POLY1305)
 	EVP_PKEY_CTX   *poly_ctx;
 	EVP_MD_CTX     *md_ctx;
 	EVP_PKEY       *pkey;
@@ -393,7 +393,7 @@ chachapoly_new_mt(u_int startseqnr, const u_char * key, u_int keylen)
 		explicit_bzero(&startseqnr, sizeof(startseqnr));
 		return NULL;
 	}
-#elif (OPENSSL_VERSION_NUMBER < 0x30000000UL) && defined(EVP_PKEY_POLY1305)
+#elif !defined(WITH_OPENSSL3) && defined(EVP_PKEY_POLY1305)
 	ctx_mt->md_ctx = EVP_MD_CTX_new();
 	ctx_mt->pkey = EVP_PKEY_new_mac_key(EVP_PKEY_POLY1305, NULL, ctx_mt->zeros,
 	    POLY1305_KEYLEN);
@@ -567,7 +567,7 @@ chachapoly_crypt_mt(struct chachapoly_ctx_mt *ctx_mt, u_int seqnr, u_char *dest,
 		if (!do_encrypt) {
 			const u_char *tag = src + aadlen + len;
 			u_char expected_tag[POLY1305_TAGLEN];
-#if (OPENSSL_VERSION_NUMBER < 0x30000000UL) && defined(EVP_PKEY_POLY1305)
+#if !defined(WITH_OPENSSL3) && defined(EVP_PKEY_POLY1305)
 			EVP_PKEY_CTX_ctrl(ctx_mt->poly_ctx, -1, EVP_PKEY_OP_SIGNCTX, EVP_PKEY_CTRL_SET_MAC_KEY, POLY1305_KEYLEN, ks->poly_key);
 			EVP_DigestSignUpdate(ctx_mt->md_ctx, src, aadlen + len);
 			ctx_mt->ptaglen = POLY1305_TAGLEN;
@@ -591,7 +591,7 @@ chachapoly_crypt_mt(struct chachapoly_ctx_mt *ctx_mt, u_int seqnr, u_char *dest,
 			/* Crypt payload */
 			fastXOR(dest+aadlen,src+aadlen,ks->mainStream,len);
 			/* calculate and append tag */
-#if (OPENSSL_VERSION_NUMBER < 0x30000000UL) && defined(EVP_PKEY_POLY1305)
+#if !defined(WITH_OPENSSL3) && defined(EVP_PKEY_POLY1305)
 			if (do_encrypt) {
 				EVP_PKEY_CTX_ctrl(ctx_mt->poly_ctx, -1, EVP_PKEY_OP_SIGNCTX, EVP_PKEY_CTRL_SET_MAC_KEY, POLY1305_KEYLEN, ks->poly_key);
 				EVP_DigestSignUpdate(ctx_mt->md_ctx, dest, aadlen + len);
diff --git a/cipher-ctr-mt-functions.c b/cipher-ctr-mt-functions.c
@@ -24,9 +24,8 @@
 
 #include "includes.h"
 
-#ifdef WITH_OPENSSL
 /* only for systems with OSSL 3 */
-#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+#ifdef WITH_OPENSSL3
 #include <stdarg.h>
 #include <string.h>
 #include <openssl/evp.h>
@@ -648,5 +647,4 @@ int aes_mt_do_cipher(void *vevp_ctx,
 	return 1;
 }
 
-#endif /*OPENSSL_VERSION_NUMBER */
-#endif /*WITH_OPENSSL*/
+#endif /*WITH_OPENSSL3*/
diff --git a/cipher-ctr-mt-functions.h b/cipher-ctr-mt-functions.h
@@ -36,9 +36,8 @@
 #include <openssl/aes.h>
 #endif
 
-#ifdef WITH_OPENSSL
 /* only for systems with OSSL 3 */
-#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+#ifdef WITH_OPENSSL3
 
 /*-------------------- TUNABLES --------------------*/
 /* maximum number of threads and queues */
@@ -139,6 +138,5 @@ void *aes_mt_newctx_256(void *);
 void *aes_mt_newctx_192(void *);
 void *aes_mt_newctx_128(void *);
 
-#endif /* VERSION NUMBER */
 #endif /* WITH OPENSSL */
 #endif /* CTR_MT_FUNCS */
diff --git a/cipher-ctr-mt-provider.c b/cipher-ctr-mt-provider.c
@@ -22,9 +22,8 @@
 
 #include "includes.h"
 
-#ifdef WITH_OPENSSL
 /* only for systems with OSSL 3.0+ */
-#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+#ifdef WITH_OPENSSL3
 
 #include <sys/types.h>
 #include <string.h>
@@ -388,5 +387,4 @@ static int aes_mt_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     return ok;
 }
 
-#endif /*OPENSSL_VERSION_NUMBER */
-#endif /*WITH_OPENSSL*/
+#endif /*WITH_OPENSSL3*/
diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c
@@ -23,8 +23,7 @@
  */
 #include "includes.h"
 
-#if defined(WITH_OPENSSL)
-#if OPENSSL_VERSION_NUMBER < 0x30000000UL
+#if defined(WITH_OPENSSL) && !defined(WITH_OPENSSL3)
 #include <sys/types.h>
 
 #include <stdarg.h>
@@ -652,12 +651,6 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
 }
 
 /* <friedl> */
-/* we've stipped out support for LibreSSL and OpenSSL < 1.1
- * it was getting to be too much to maintain. If LibreSSL
- * ever incorporates the meth_new() functionality we'll
- * reinstate support in configure.ac
- * cjr 2/8/2023
- */
 const EVP_CIPHER *
 evp_aes_ctr_mt(void)
 {
@@ -675,5 +668,4 @@ evp_aes_ctr_mt(void)
 #  endif /*SSH_OLD_EVP*/
 	return aes_ctr;
 }
-#endif /* OSSL VERSION NUMBER */
-#endif /* OSSL */
+#endif /* OSSL Check */
diff --git a/cipher.c b/cipher.c
@@ -53,7 +53,7 @@
 #include "openbsd-compat/openssl-compat.h"
 
 /* for provider functions */
-#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+#ifdef WITH_OPENSSL3
 #include <openssl/err.h>
 #include <openssl/params.h>
 #include <openssl/provider.h>
@@ -381,7 +381,7 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
 	 * we load our hpnssh provider. If it doesn't (OSSL < 1.1) then we use the
 	 * _meth_new process found in cipher-ctr-mt.c */
 	if (strstr(cc->cipher->name, "ctr") && post_auth) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+#ifdef WITH_OPENSSL3
 		/* this version of openssl uses providers */
 		OSSL_LIB_CTX *aes_lib = NULL; /* probably not needed */
 		OSSL_PROVIDER *aes_mt_provider = NULL;
@@ -420,7 +420,7 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
 		 * then we'd only have to call EVP_CIPHER_meth once but this
 		 * works for now. TODO: This. cjr 02.22.2023 */
 		cc->meth_ptr = type;
-#endif /* OPENSSL_VERSION_NUMBER */
+#endif /* WITH_OPENSSL3 */
 	} /* if (strstr()) */
 	if (EVP_CipherInit(cc->evp, type, NULL, (u_char *)iv,
 	    (do_encrypt == CIPHER_ENCRYPT)) == 0) {
diff --git a/configure.ac b/configure.ac
@@ -2851,21 +2851,20 @@ if test "x$openssl" = "xyes" ; then
 			200*)   AC_MSG_ERROR([LibreSSL versions older than 3.7 are no longer suported by HPN-SSH.])
                                 ;; # LibreSSL unsupported versions
 			Libre*) ;; # LibreSSL that supports evp_cipher_meth_* functions
-#			300*)   ;; # OpenSSL 3
-#			301*)   ;; # OpenSSL development branch.
-#			302*)   ;; # OpenSSL master branch
-#			*)
 			300*)
 				# OpenSSL 3; we use the 1.1x API
 				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
+				AC_DEFINE([WITH_OPENSSL3], [1], [With OpenSSL3])
 				;;
 			301*|302*)
 				# OpenSSL development branch; request 1.1x API
 				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
+				AC_DEFINE([WITH_OPENSSL3], [1], [With OpenSSL3])
 				;;
 			302*)
 				# OpenSSL Master Branch; request 1.1x API
 				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
+				AC_DEFINE([WITH_OPENSSL3], [1], [With OpenSSL3])
 				;;
 			*)
 				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
diff --git a/num.c b/num.c
@@ -3,8 +3,7 @@
 #include <string.h>
 #include "num.h"
 
-#ifdef WITH_OPENSSL
-#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+#ifdef WITH_OPENSSL3
 
 typedef enum { BIG = 1, LITTLE = -1 }  endian_t;
 typedef enum { NEGATIVE = 0xff, POSITIVE = 0x00 } sign_t;
@@ -154,5 +153,4 @@ static struct resultdesc provnum_copy(struct numdesc dest, struct numdesc src)
 
 implement_provnum(size_t, OSSL_PARAM_UNSIGNED_INTEGER)
 
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000UL */
-#endif /* WITH_OPENSSL */
+#endif /* WITH_OPENSSL3 */
diff --git a/num.h b/num.h
@@ -1,8 +1,7 @@
 /* CC0 license applied, see LICENCE.md */
 
 #include "includes.h"
-#ifdef WITH_OPENSSL
-#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+#ifdef WITH_OPENSSL3
 
 #include <openssl/core.h>
 
@@ -13,5 +12,4 @@ int provnum_set_size_t(OSSL_PARAM *param, size_t src);
 #define PROVNUM_E_WRONG_TYPE    -1
 #define PROVNUM_E_TOOBIG        -2
 #define PROVNUM_E_UNSUPPORTED   -3
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000UL */
-#endif /* WITH_OPENSSL */
+#endif /* WITH_OPENSSL3 */
diff --git a/ossl3-provider-err.c b/ossl3-provider-err.c
@@ -4,8 +4,7 @@
 #include <stdlib.h>
 #include "ossl3-provider-err.h"
 
-#ifdef WITH_OPENSSL
-#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+#ifdef WITH_OPENSSL3
 
 struct proverr_functions_st {
   const OSSL_CORE_HANDLE *core;
@@ -106,5 +105,4 @@ void proverr_set_error(const struct proverr_functions_st *handle,
   va_end(ap);
 }
 
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000UL */
-#endif /* WITH_OPENSSL */
+#endif /* WITH_OPENSSL3 */
diff --git a/ossl3-provider-err.h b/ossl3-provider-err.h
@@ -1,8 +1,7 @@
 /* CC0 license applied, see LICENCE.md */
 
 #include "includes.h"
-#ifdef WITH_OPENSSL
-#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+#ifdef WITH_OPENSSL3
 #include <stdint.h>
 #include <openssl/core.h>
 #include <openssl/core_dispatch.h>
@@ -71,5 +70,4 @@ void proverr_set_error_debug(const struct proverr_functions_st *handle,
                              const char *file, int line, const char *func);
 void proverr_set_error(const struct proverr_functions_st *handle,
                        uint32_t reason, const char *fmt, ...);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000UL */
-#endif /* WITH_OPENSSL */
+#endif /* WITH_OPENSSL3 */
