backport fix OpenSSL3 compatibility (#70)

mariux64 · Oct 20, 2021 · 5716629 · 5716629
1 parent 0040b1a
commit 5716629
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -1,4 +1,7 @@
 unreleased changes
+	Misc:
+	- OpenSSL 3.0 compatibility (#70)
+
 	Bug Fixes:
 	- Fix refused startup with openssl <1.1 (#82)
 	- Fix compiler issue for Fedora 33 on s390x (#84)

diff --git a/radsecproxy.conf.5.in b/radsecproxy.conf.5.in
@@ -854,7 +854,8 @@ for DTLS.
 .BI "DhFile " file
 .RS
 DH parameter \fIfile\fR to use. See \fBopenssl-dhparam\fR(1)
-
+.br
+Note: starting with OpenSSL 3.0, use of custom DH parameters is discouraged.
 
 .SH "REWRITE BLOCK"
 .nf

diff --git a/tlscommon.c b/tlscommon.c
@@ -496,12 +496,26 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
 #endif
 
     if (conf->dhparam) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+        if (!SSL_CTX_set0_tmp_dh_pkey(ctx, conf->dhparam)) {
+#else
         if (!SSL_CTX_set_tmp_dh(ctx, conf->dhparam)) {
+#endif
             while ((error = ERR_get_error()))
                 debug(DBG_WARN, "tlscreatectx: SSL: %s", ERR_error_string(error, NULL));
             debug(DBG_WARN, "tlscreatectx: Failed to set dh params. Can continue, but some ciphers might not be available.");
         }
     }
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+    else {
+        if (!SSL_CTX_set_dh_auto(ctx, 1)) {
+            while ((error = ERR_get_error()))
+                debug(DBG_WARN, "tlscreatectx: SSL: %s", ERR_error_string(error, NULL));
+            debug(DBG_WARN, "tlscreatectx: Failed to set automatic dh params. Can continue, but some ciphers might not be available.");
+        }
+    }
+#endif
+
     debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name);
     return ctx;
 }
@@ -935,6 +949,20 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
 #endif
 
     if (dhfile) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+        BIO *bio = BIO_new_file(dhfile, "r");
+        if (bio) {
+            conf->dhparam = EVP_PKEY_new();
+            if (!PEM_read_bio_Parameters(bio, &conf->dhparam)) {
+                BIO_free(bio);
+                while ((error = ERR_get_error()))
+                    debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
+                debug(DBG_ERR, "error in block %s: Failed to load DhFile %s.", val, dhfile);
+                goto errexit;
+            }
+            BIO_free(bio);
+        }
+#else
         FILE *dhfp = fopen(dhfile, "r");
         if (dhfp) {
             conf->dhparam = PEM_read_DHparams(dhfp, NULL, NULL, NULL);
@@ -951,6 +979,7 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
         }
         free(dhfile);
         dhfile = NULL;
+#endif
     }
 
     conf->name = stringcopy(val, 0);
@@ -981,7 +1010,11 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
     free(tlsversion);
     free(dtlsversion);
     free(dhfile);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+    EVP_PKEY_free(conf->dhparam);
+#else
     DH_free(conf->dhparam);
+#endif
     free(conf);
     return 0;
 }

diff --git a/tlscommon.h b/tlscommon.h
@@ -26,7 +26,11 @@ struct tls {
     int tlsmaxversion;
     int dtlsminversion;
     int dtlsmaxversion;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+    EVP_PKEY* dhparam;
+#else
     DH *dhparam;
+#endif
     uint32_t tlsexpiry;
     uint32_t dtlsexpiry;
     X509_VERIFY_PARAM *vpm;