Remove support for openssl < 3.0
OpenSSL 3.0+ has technically been required since
e79239970c3701f12903e8ac1574b9210b69aebc checked in 7 months ago. We
don't seem to be going backwards, so remove code support for <3.0.
OpenSSL 1.1.1 was declared EOL 10 months ago [1]
[1] https://endoflife.date/openssl
Change-Id: I54f0d475dfa79ee7959f1b4278d3790c988de0af
Signed-off-by: Ed Tanous <etanous@nvidia.com>
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index 97e9929..e523392 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -35,7 +35,6 @@
{
constexpr const char* trustStorePath = "/etc/ssl/certs/authority";
constexpr const char* x509Comment = "Generated from OpenBMC service";
-static void initOpenssl();
static EVP_PKEY* createEcKey();
// Trust chain related errors.`
@@ -135,41 +134,6 @@
BIO_free(bufio);
if (pkey != nullptr)
{
-#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
- RSA* rsa = EVP_PKEY_get1_RSA(pkey);
- if (rsa != nullptr)
- {
- BMCWEB_LOG_INFO("Found an RSA key");
- if (RSA_check_key(rsa) == 1)
- {
- privateKeyValid = true;
- }
- else
- {
- BMCWEB_LOG_ERROR("Key not valid error number {}",
- ERR_get_error());
- }
- RSA_free(rsa);
- }
- else
- {
- EC_KEY* ec = EVP_PKEY_get1_EC_KEY(pkey);
- if (ec != nullptr)
- {
- BMCWEB_LOG_INFO("Found an EC key");
- if (EC_KEY_check_key(ec) == 1)
- {
- privateKeyValid = true;
- }
- else
- {
- BMCWEB_LOG_ERROR("Key not valid error number {}",
- ERR_get_error());
- }
- EC_KEY_free(ec);
- }
- }
-#else
EVP_PKEY_CTX* pkeyCtx = EVP_PKEY_CTX_new_from_pkey(nullptr, pkey,
nullptr);
@@ -185,7 +149,6 @@
{
BMCWEB_LOG_ERROR("Key not valid error number {}", ERR_get_error());
}
-#endif
if (privateKeyValid)
{
@@ -205,9 +168,7 @@
}
}
-#if (OPENSSL_VERSION_NUMBER > 0x30000000L)
EVP_PKEY_CTX_free(pkeyCtx);
-#endif
EVP_PKEY_free(pkey);
}
if (!certValid)
@@ -284,7 +245,6 @@
inline std::string generateSslCertificate(const std::string& cn)
{
BMCWEB_LOG_INFO("Generating new keys");
- initOpenssl();
std::string buffer;
BMCWEB_LOG_INFO("Generating EC key");
@@ -389,29 +349,6 @@
{
EVP_PKEY* pKey = nullptr;
-#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
- int eccgrp = 0;
- eccgrp = OBJ_txt2nid("secp384r1");
-
- EC_KEY* myecc = EC_KEY_new_by_curve_name(eccgrp);
- if (myecc != nullptr)
- {
- EC_KEY_set_asn1_flag(myecc, OPENSSL_EC_NAMED_CURVE);
- EC_KEY_generate_key(myecc);
- pKey = EVP_PKEY_new();
- if (pKey != nullptr)
- {
- if (EVP_PKEY_assign(pKey, EVP_PKEY_EC, myecc) != 0)
- {
- /* pKey owns myecc from now */
- if (EC_KEY_check_key(myecc) <= 0)
- {
- BMCWEB_LOG_ERROR("EC_check_key failed.");
- }
- }
- }
- }
-#else
// Create context for curve parameter generation.
std::unique_ptr<EVP_PKEY_CTX, decltype(&::EVP_PKEY_CTX_free)> ctx{
EVP_PKEY_CTX_new_id(EVP_PKEY_EC, nullptr), &::EVP_PKEY_CTX_free};
@@ -448,20 +385,10 @@
{
return nullptr;
}
-#endif
return pKey;
}
-void initOpenssl()
-{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- SSL_load_error_strings();
- OpenSSL_add_all_algorithms();
- RAND_load_file("/dev/urandom", 1024);
-#endif
-}
-
inline std::string ensureOpensslKeyPresentAndValid(const std::string& filepath)
{
std::string cert = verifyOpensslKeyCert(filepath);