Add support for OpenSSL 3.0 functions.

In OpenSSL 3.0 some functions were deprecated and replaced. This commit adds some #ifdef to build without warning on both OpenSSL 1.x and OpenSSL 3.x. For OpenSSL 3.x, the default built-in DH parameters are used (as suggested by SSL_CTX_set_dh_auto manpage). Signed-off-by: Timothy Redaelli <[email protected]> Signed-off-by: Ilya Maximets <[email protected]>
igsilya · Oct 31, 2023 · 65f99ca · 65f99ca
1 parent 4b341f6
commit 65f99ca
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/build-aux/generate-dhparams-c b/build-aux/generate-dhparams-c
@@ -78,6 +78,7 @@ cat <<'EOF'
 #include "lib/dhparams.h"
 #include "openvswitch/util.h"
 
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
 static int
 my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
 {
@@ -93,3 +94,4 @@ my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
 EOF
 dhparam_to_c lib/dh2048.pem
 dhparam_to_c lib/dh4096.pem
+echo "#endif"
diff --git a/lib/dhparams.c b/lib/dhparams.c
@@ -6,6 +6,7 @@
 #include "lib/dhparams.h"
 #include "openvswitch/util.h"
 
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
 static int
 my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
 {
@@ -142,3 +143,4 @@ DH *get_dh4096(void)
     }
     return dh;
 }
+#endif
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
@@ -193,7 +193,9 @@ static void ssl_clear_txbuf(struct ssl_stream *);
 static void interpret_queued_ssl_error(const char *function);
 static int interpret_ssl_error(const char *function, int ret, int error,
                                int *want);
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
 static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength);
+#endif
 static void log_ca_cert(const char *file_name, X509 *cert);
 static void stream_ssl_set_ca_cert_file__(const char *file_name,
                                           bool bootstrap, bool force);
@@ -471,7 +473,11 @@ static char *
 get_peer_common_name(const struct ssl_stream *sslv)
 {
     char *peer_name = NULL;
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
     X509 *peer_cert = SSL_get_peer_certificate(sslv->ssl);
+#else
+    X509 *peer_cert = SSL_get1_peer_certificate(sslv->ssl);
+#endif
     if (!peer_cert) {
         return NULL;
     }
@@ -1066,7 +1072,11 @@ do_ssl_init(void)
         return ENOPROTOOPT;
     }
     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
     SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
+#else
+    SSL_CTX_set_dh_auto(ctx, 1);
+#endif
     SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
     SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
@@ -1077,6 +1087,7 @@ do_ssl_init(void)
     return 0;
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
 static DH *
 tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength)
 {
@@ -1108,6 +1119,7 @@ tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength)
                 keylength);
     return NULL;
 }
+#endif
 
 /* Returns true if SSL is at least partially configured. */
 bool