mirror of
https://github.com/openvswitch/ovs
synced 2025-08-22 01:51:26 +00:00
4b2016b82f
OpenSSL 1.1.0 reached EoL 5 years ago on 11 Sep 2019. Vast majority of distributions moved to newer versions long time ago. OpenSSL 1.1.1 introduced a lot of new APIs and deprecated a lot of old ones. It also introduced support for TLSv1.3 with a pack of APIs specific to that version. Requiring OpenSSL 1.1.1 or newer will allow us to get rid of use of many deprecated APIs as well as introduce explicit support for TLSv1.3 without polluting the code with conditional compiling. Python community did an exceptional investigation on benefits of dropping support for OpenSSL 1.1.0 when they did the same in 2021: https://peps.python.org/pep-0644/ We do not officially support building with LibreSSL, but all the ifdefs for it are not necessary today, as LibreSSL implemented all the missing APIs. Also, most major distributions either moved away from LibreSSL or provide OpenSSL as an alternative. This commit only removes explicit workarounds. We'll start replacing deprecated APIs in the next ones. OpenSSL 1.1.1 also reached end of life in 2023, but it's not a big burden to support, and many distributions are still using it and will continue using it for quite some time. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
92 lines
2.1 KiB
Bash
Executable File
92 lines
2.1 KiB
Bash
Executable File
#! /bin/sh -e
|
|
|
|
dhparam_to_c() {
|
|
local bits
|
|
local get_p=0
|
|
local line
|
|
local nl="
|
|
"
|
|
local p
|
|
local i=0
|
|
while read -r line; do
|
|
case "$line" in
|
|
*"DH Parameters: "*)
|
|
bits=${line#*DH Parameters: (}
|
|
bits=${bits% bit)}
|
|
continue
|
|
;;
|
|
"P:"|"prime:")
|
|
get_p=1
|
|
continue
|
|
;;
|
|
"G: "*|"generator: "*)
|
|
g=${line#*(}
|
|
g=${g%)}
|
|
g=$(printf "0x%.2X" "$g")
|
|
continue
|
|
;;
|
|
esac
|
|
if [ "$get_p" = 1 ]; then
|
|
IFS=":"
|
|
for x in $line; do
|
|
[ -z "$p" ] && [ "$x" = "00" ] && continue
|
|
[ $i -ge 10 ] && i=0
|
|
[ $i -eq 0 ] && p="$p$nl "
|
|
x=0x$x
|
|
p=$(printf "%s 0x%.2X," "$p" "$x")
|
|
i=$((i + 1))
|
|
done
|
|
unset IFS
|
|
fi
|
|
done <<EOF
|
|
$(openssl dhparam -in "$1" -text -noout)
|
|
EOF
|
|
p=${p%,}
|
|
cat <<EOF
|
|
DH *get_dh${bits}(void)
|
|
{
|
|
static unsigned char dhp_${bits}[] = {$p
|
|
};
|
|
static unsigned char dhg_${bits}[] = {
|
|
$g
|
|
};
|
|
DH *dh = DH_new();
|
|
BIGNUM *p, *g;
|
|
|
|
if (dh == NULL)
|
|
return NULL;
|
|
p = BN_bin2bn(dhp_${bits}, sizeof(dhp_${bits}), NULL);
|
|
g = BN_bin2bn(dhg_${bits}, sizeof(dhg_${bits}), NULL);
|
|
if (p == NULL || g == NULL
|
|
|| !my_DH_set0_pqg(dh, p, NULL, g)) {
|
|
DH_free(dh);
|
|
BN_free(p);
|
|
BN_free(g);
|
|
return NULL;
|
|
}
|
|
return dh;
|
|
}
|
|
EOF
|
|
}
|
|
|
|
cat <<'EOF'
|
|
/* Generated automatically; do not modify! -*- buffer-read-only: t -*-
|
|
*
|
|
* If you do need to regenerate this file, run "make generate-dhparams-c". */
|
|
|
|
#include <config.h>
|
|
#include "lib/dhparams.h"
|
|
#include "openvswitch/util.h"
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x3000000fL
|
|
static int
|
|
my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
|
|
{
|
|
ovs_assert(q == NULL);
|
|
return DH_set0_pqg(dh, p, NULL, g);
|
|
}
|
|
EOF
|
|
dhparam_to_c lib/dh2048.pem
|
|
dhparam_to_c lib/dh4096.pem
|
|
echo "#endif"
|