1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index b63b35e9f..2baa7bfcf 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -33,49 +33,9 @@
#include "aes_wrap.h"
#include "crypto.h"
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-/* Compatibility wrappers for older versions. */
-
-static HMAC_CTX * HMAC_CTX_new(void)
-{
- HMAC_CTX *ctx;
-
- ctx = os_zalloc(sizeof(*ctx));
- if (ctx)
- HMAC_CTX_init(ctx);
- return ctx;
-}
-
-
-static void HMAC_CTX_free(HMAC_CTX *ctx)
-{
- if (!ctx)
- return;
- HMAC_CTX_cleanup(ctx);
- bin_clear_free(ctx, sizeof(*ctx));
-}
-
-static EVP_MD_CTX * EVP_MD_CTX_new(void)
-{
- EVP_MD_CTX *ctx;
- ctx = os_zalloc(sizeof(*ctx));
- if (ctx)
- EVP_MD_CTX_init(ctx);
- return ctx;
-}
-
-
-static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
-{
- if (!ctx)
- return;
- EVP_MD_CTX_cleanup(ctx);
- bin_clear_free(ctx, sizeof(*ctx));
-}
-#endif /* OpenSSL version < 1.1.0 */
static BIGNUM * get_group5_prime(void)
{
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 4413ec325..7dbbd2d8c 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -58,50 +58,6 @@ typedef int stack_index_t;
#endif /* OPENSSL_NO_TLSEXT */
#endif /* SSL_set_tlsext_status_type */
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L || \
- defined(LIBRESSL_VERSION_NUMBER)) && \
- !defined(BORINGSSL_API_VERSION)
-/*
- * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL
- * 1.1.0 and newer BoringSSL revisions. Provide compatibility wrappers for
- * older versions.
- */
-
-static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
- size_t outlen)
-{
- if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
- return 0;
- os_memcpy(out, ssl->s3->client_random, SSL3_RANDOM_SIZE);
- return SSL3_RANDOM_SIZE;
-}
-
-
-static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
- size_t outlen)
-{
- if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
- return 0;
- os_memcpy(out, ssl->s3->server_random, SSL3_RANDOM_SIZE);
- return SSL3_RANDOM_SIZE;
-}
-
-
-#ifdef OPENSSL_NEED_EAP_FAST_PRF
-static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
- unsigned char *out, size_t outlen)
-{
- if (!session || session->master_key_length < 0 ||
- (size_t) session->master_key_length > outlen)
- return 0;
- if ((size_t) session->master_key_length < outlen)
- outlen = session->master_key_length;
- os_memcpy(out, session->master_key, outlen);
- return outlen;
-}
-#endif /* OPENSSL_NEED_EAP_FAST_PRF */
-
-#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifdef CONFIG_SUITEB
@@ -2457,12 +2413,6 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
else
SSL_clear_options(ssl, SSL_OP_NO_TLSv1_1);
#endif /* SSL_OP_NO_TLSv1_1 */
-#ifdef SSL_OP_NO_TLSv1_2
- if (flags & TLS_CONN_DISABLE_TLSv1_2)
- SSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
- else
- SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
-#endif /* SSL_OP_NO_TLSv1_2 */
#ifdef CONFIG_SUITEB
#ifdef OPENSSL_IS_BORINGSSL
/* Start with defaults from BoringSSL */
@@ -4344,15 +4294,6 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
}
}
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
- if (params->flags & TLS_CONN_EAP_FAST) {
- /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1
- * refuses to start the handshake with the modified ciphersuite
- * list (no TLS v1.3 ciphersuites included) for EAP-FAST. */
- wpa_printf(MSG_DEBUG, "OpenSSL: Disable TLSv1.3 for EAP-FAST");
- SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_3);
- }
-#endif
#endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
while ((err = ERR_get_error())) {
|
