Use TLS_method() instead of TLS_client_method() throughout.

OpenSSL returns an error for SSL_accept() if TLS_client_method()
was used to generate the context (LibreSSL doesn't care).

Prior to sudo 1.9.7, TLS_client_method() and TLS_server_method()
were used in the TLS client and server initialization code respectively.
This was refactored in sudo 1.9.7 to allow the code to be shared.
Bug #988

config.h.in

@@ -928,11 +928,8 @@
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
-/* Define to 1 if you have the `TLS_client_method' function. */
-#undef HAVE_TLS_CLIENT_METHOD
-
-/* Define to 1 if you have the `TLS_server_method' function. */
-#undef HAVE_TLS_SERVER_METHOD
+/* Define to 1 if you have the `TLS_method' function. */
+#undef HAVE_TLS_METHOD
 
 /* Define to 1 if you have the `ttyslot' function. */
 #undef HAVE_TTYSLOT

configure

@@ -22434,16 +22434,10 @@ then :
   printf "%s\n" "#define HAVE_SSL_CTX_GET0_CERTIFICATE 1" >>confdefs.h
 
 fi
-ac_fn_c_check_func "$LINENO" "TLS_client_method" "ac_cv_func_TLS_client_method"
-if test "x$ac_cv_func_TLS_client_method" = xyes
+ac_fn_c_check_func "$LINENO" "TLS_method" "ac_cv_func_TLS_method"
+if test "x$ac_cv_func_TLS_method" = xyes
 then :
-  printf "%s\n" "#define HAVE_TLS_CLIENT_METHOD 1" >>confdefs.h
-
-fi
-ac_fn_c_check_func "$LINENO" "TLS_server_method" "ac_cv_func_TLS_server_method"
-if test "x$ac_cv_func_TLS_server_method" = xyes
-then :
-  printf "%s\n" "#define HAVE_TLS_SERVER_METHOD 1" >>confdefs.h
+  printf "%s\n" "#define HAVE_TLS_METHOD 1" >>confdefs.h
 
 fi
 

configure.ac

@@ -2992,7 +2992,7 @@ dnl
 if test "${enable_openssl-no}" != no; then
     OLIBS="$LIBS"
     LIBS="$LIBS $LIBTLS"
-    AC_CHECK_FUNCS([X509_STORE_CTX_get0_cert ASN1_STRING_get0_data SSL_CTX_get0_certificate TLS_client_method TLS_server_method])
+    AC_CHECK_FUNCS([X509_STORE_CTX_get0_cert ASN1_STRING_get0_data SSL_CTX_get0_certificate TLS_method])
     # SSL_CTX_set_min_proto_version may be a macro
     AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [
 	AC_INCLUDES_DEFAULT

include/sudo_compat.h

@@ -358,11 +358,8 @@ int getdomainname(char *, size_t);
 # ifndef HAVE_ASN1_STRING_GET0_DATA
 #  define ASN1_STRING_get0_data(x)      ASN1_STRING_data(x)
 # endif
-# ifndef HAVE_TLS_CLIENT_METHOD
-#  define TLS_client_method()           SSLv23_client_method()
-# endif
-# ifndef HAVE_TLS_SERVER_METHOD
-#  define TLS_server_method()           SSLv23_server_method()
+# ifndef HAVE_TLS_METHOD
+#  define TLS_method()                  SSLv23_method()
 # endif
 #endif /* HAVE_OPENSSL */
 

logsrvd/tls_client.c

@@ -231,7 +231,7 @@ tls_client_setup(int sock, const char *ca_bundle_file, const char *cert_file,
     debug_decl(tls_client_setup, SUDO_DEBUG_UTIL);
 
     ssl_ctx = init_tls_context(ca_bundle_file, cert_file, key_file,
-	dhparam_file, ciphers_v12,ciphers_v13, verify_server);
+	dhparam_file, ciphers_v12, ciphers_v13, verify_server);
     if (ssl_ctx == NULL) {
         sudo_warnx(U_("unable to initialize TLS context"));
 	debug_return_bool(false);

logsrvd/tls_init.c

@@ -191,7 +191,7 @@ init_tls_context(const char *ca_bundle_file, const char *cert_file,
     }
 
     /* Create the ssl context and enforce TLS 1.2 or higher. */
-    if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
+    if ((ctx = SSL_CTX_new(TLS_method())) == NULL) {
 	errstr = ERR_reason_error_string(ERR_get_error());
 	sudo_warnx(U_("unable to create TLS context: %s"), errstr);
         goto bad;

plugins/sudoers/log_client.c

@@ -188,7 +188,7 @@ tls_init(struct client_closure *closure)
     SSL_load_error_strings();
     
     /* Create the ssl context and enforce TLS 1.2 or higher. */
-    if ((closure->ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL) {
+    if ((closure->ssl_ctx = SSL_CTX_new(TLS_method())) == NULL) {
         errstr = ERR_reason_error_string(ERR_get_error());
         sudo_warnx(U_("Creation of new SSL_CTX object failed: %s"), errstr);
         goto bad;