Initial OpenSSL 3.0 support

* Don't use deprecated functions when building against OpenSSL 3.0. * Recognise that OpenSSL 3.0 can signal a dirty shutdown as a protocol. error in addition to the expected IO error produced by OpenSSL 1.1.1 * Update regress_mbedtls.c for compatibility with OpenSSL 3
2025-01-31 09:12:55 +08:00 · 2022-06-18 21:43:31 +01:00 · 2022-06-18 21:43:31 +01:00 · 29c420c418
commit 29c420c418
parent 20977eae0d
5 changed files with 27 additions and 1 deletions
--- a/bufferevent_openssl.c
+++ b/bufferevent_openssl.c
@ -259,7 +259,9 @@ conn_closed(struct bufferevent_ssl *bev_ssl, int when, int errcode, int ret)
 		bufferevent_ssl_put_error(bev_ssl, errcode);
 		break;
 	case SSL_ERROR_SSL:
-		/* Protocol error. */
+		/* Protocol error; possibly a dirty shutdown. */
+		if (ret == 0 && SSL_is_init_finished(bev_ssl->ssl) == 0)
+			dirty_shutdown = 1;
 		bufferevent_ssl_put_error(bev_ssl, errcode);
 		break;
 	case SSL_ERROR_WANT_X509_LOOKUP:
--- a/sample/becat.c
+++ b/sample/becat.c
@ -188,6 +188,10 @@ static void ssl_ctx_free(struct ssl_context *ssl)
 static int ssl_load_key(struct ssl_context *ssl)
 {
 	int err = 1;
+#if OPENSSL_VERSION_MAJOR >= 3
+	ssl->pkey = EVP_RSA_gen(4096);
+	err = ssl->pkey == NULL;
+#else
 	BIGNUM *bn;
 	RSA *key;

@ -205,6 +209,7 @@ static int ssl_load_key(struct ssl_context *ssl)
 	err = 0;
 err:
 	BN_free(bn);
+#endif
 	return err;
 }
 static int ssl_load_cert(struct ssl_context *ssl)
@ -386,8 +391,12 @@ static void be_ssl_errors(struct bufferevent *bev)
 	while ((err = bufferevent_get_openssl_error(bev))) {
 		const char *msg = ERR_reason_error_string(err);
 		const char *lib = ERR_lib_error_string(err);
+#if OPENSSL_VERSION_MAJOR >= 3
+		error("ssl/err=%d/%s in %s\n", err, msg, lib);
+#else
 		const char *func = ERR_func_error_string(err);
 		error("ssl/err=%d/%s in %s %s\n", err, msg, lib, func);
+#endif
 	}
 }
 static int event_cb_(struct bufferevent *bev, short what, int ssl, int stop)
--- a/sample/le-proxy.c
+++ b/sample/le-proxy.c
@ -113,10 +113,15 @@ eventcb(struct bufferevent *bev, short what, void *ctx)
 				    ERR_reason_error_string(err);
 				const char *lib = (const char*)
 				    ERR_lib_error_string(err);
+#if OPENSSL_VERSION_MAJOR >= 3
+				fprintf(stderr,
+					"%s in %s\n", msg, lib);
+#else
 				const char *func = (const char*)
 				    ERR_func_error_string(err);
 				fprintf(stderr,
 				    "%s in %s %s\n", msg, lib, func);
+#endif
 			}
 			if (errno)
 				perror("connection error");
--- a/test/regress_mbedtls.c
+++ b/test/regress_mbedtls.c
@ -48,6 +48,7 @@

 #define SSL_renegotiate mbedtls_ssl_renegotiate
 #define SSL_get_peer_certificate mbedtls_ssl_get_peer_cert
+#define SSL_get1_peer_certificate mbedtls_ssl_get_peer_cert
 #define SSL_new mbedtls_ssl_new
 #define SSL_use_certificate(a, b) \
 	do {                          \
--- a/test/regress_ssl.c
+++ b/test/regress_ssl.c
@ -224,7 +224,16 @@ eventcb(struct bufferevent *bev, short what, void *ctx)
 		++n_connected;
 		ssl = bufferevent_ssl_get_ssl(bev);
 		tt_assert(ssl);
+#if OPENSSL_VERSION_MAJOR >= 3
+		/* SSL_get1_peer_certificate() means we want
+		 * to increase the reference count on the cert
+		 * and so we will need to free it ourselves later
+		 * when we're done with it. The non-reference count
+		 * increasing version is not available in OpenSSL 1.1.1. */
+		peer_cert = SSL_get1_peer_certificate(ssl);
+#else
 		peer_cert = SSL_get_peer_certificate(ssl);
+#endif
 		if (type & REGRESS_OPENSSL_SERVER) {
 			tt_assert(peer_cert == NULL);
 		} else {