diff mbox series

[ovs-dev,2/2] Add support for OpenSSL 3.0 functions

Message ID 6b73c3a324aaf759f12449c92cb30955261d44a0.1663852673.git.tredaelli@redhat.com
State Accepted
Commit b5d9722995c4e38fe95f0a0462fdd124c353a434
Headers show
Series Remove deprecated OpenSSL functions on openssl 3.0 | expand

Checks

Context Check Description
ovsrobot/apply-robot success apply and check: success
ovsrobot/github-robot-_Build_and_Test success github build: passed
ovsrobot/intel-ovs-compilation success test: success

Commit Message

Timothy Redaelli Sept. 22, 2022, 1:40 p.m. UTC 
In OpenSSL 3.0 some functions were deprecated and replaced.
This commit adds some #ifdef to build without warning on both
OpenSSL 1.x and OpenSSL 3.x.

For OpenSSL 3.x, the default built-in DH parameters are used (as
suggested by SSL_CTX_set_dh_auto manpage).

Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
---
 build-aux/generate-dhparams-c |  2 ++
 lib/dhparams.c                |  2 ++
 lib/stream-ssl.c              | 12 ++++++++++++
 3 files changed, 16 insertions(+)
diff mbox series

Patch

diff --git a/build-aux/generate-dhparams-c b/build-aux/generate-dhparams-c
index a80db6207..aca1dbca9 100755
--- a/build-aux/generate-dhparams-c
+++ b/build-aux/generate-dhparams-c
@@ -78,6 +78,7 @@  cat <<'EOF'
 #include "lib/dhparams.h"
 #include "openvswitch/util.h"
 
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
 static int
 my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
 {
@@ -93,3 +94,4 @@  my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
 EOF
 dhparam_to_c lib/dh2048.pem
 dhparam_to_c lib/dh4096.pem
+echo "#endif"
diff --git a/lib/dhparams.c b/lib/dhparams.c
index 85123863f..50209d5d8 100644
--- a/lib/dhparams.c
+++ b/lib/dhparams.c
@@ -6,6 +6,7 @@ 
 #include "lib/dhparams.h"
 #include "openvswitch/util.h"
 
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
 static int
 my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
 {
@@ -142,3 +143,4 @@  DH *get_dh4096(void)
     }
     return dh;
 }
+#endif
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index f4fe3432e..62da9febb 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -193,7 +193,9 @@  static void ssl_clear_txbuf(struct ssl_stream *);
 static void interpret_queued_ssl_error(const char *function);
 static int interpret_ssl_error(const char *function, int ret, int error,
                                int *want);
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
 static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength);
+#endif
 static void log_ca_cert(const char *file_name, X509 *cert);
 static void stream_ssl_set_ca_cert_file__(const char *file_name,
                                           bool bootstrap, bool force);
@@ -471,7 +473,11 @@  static char *
 get_peer_common_name(const struct ssl_stream *sslv)
 {
     char *peer_name = NULL;
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
     X509 *peer_cert = SSL_get_peer_certificate(sslv->ssl);
+#else
+    X509 *peer_cert = SSL_get1_peer_certificate(sslv->ssl);
+#endif
     if (!peer_cert) {
         return NULL;
     }
@@ -1070,7 +1076,11 @@  do_ssl_init(void)
         return ENOPROTOOPT;
     }
     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
     SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
+#else
+    SSL_CTX_set_dh_auto(ctx, 1);
+#endif
     SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
     SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
@@ -1081,6 +1091,7 @@  do_ssl_init(void)
     return 0;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
 static DH *
 tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength)
 {
@@ -1112,6 +1123,7 @@  tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength)
                 keylength);
     return NULL;
 }
+#endif
 
 /* Returns true if SSL is at least partially configured. */
 bool