From 571662965cadfb0e3cc1ee384a065b84e0f8512b Mon Sep 17 00:00:00 2001 From: Fabian Mauchle Date: Wed, 20 Oct 2021 08:18:08 +0200 Subject: [PATCH] backport fix OpenSSL3 compatibility (#70) --- ChangeLog | 3 +++ radsecproxy.conf.5.in | 3 ++- tlscommon.c | 33 +++++++++++++++++++++++++++++++++ tlscommon.h | 4 ++++ 4 files changed, 42 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index eeec6d6..7b60473 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,7 @@ unreleased changes + Misc: + - OpenSSL 3.0 compatibility (#70) + Bug Fixes: - Fix refused startup with openssl <1.1 (#82) - Fix compiler issue for Fedora 33 on s390x (#84) diff --git a/radsecproxy.conf.5.in b/radsecproxy.conf.5.in index e398fe9..65198c5 100644 --- a/radsecproxy.conf.5.in +++ b/radsecproxy.conf.5.in @@ -854,7 +854,8 @@ for DTLS. .BI "DhFile " file .RS DH parameter \fIfile\fR to use. See \fBopenssl-dhparam\fR(1) - +.br +Note: starting with OpenSSL 3.0, use of custom DH parameters is discouraged. .SH "REWRITE BLOCK" .nf diff --git a/tlscommon.c b/tlscommon.c index be82d82..e921471 100644 --- a/tlscommon.c +++ b/tlscommon.c @@ -496,12 +496,26 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { #endif if (conf->dhparam) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + if (!SSL_CTX_set0_tmp_dh_pkey(ctx, conf->dhparam)) { +#else if (!SSL_CTX_set_tmp_dh(ctx, conf->dhparam)) { +#endif while ((error = ERR_get_error())) debug(DBG_WARN, "tlscreatectx: SSL: %s", ERR_error_string(error, NULL)); debug(DBG_WARN, "tlscreatectx: Failed to set dh params. Can continue, but some ciphers might not be available."); } } +#if OPENSSL_VERSION_NUMBER >= 0x10101000 + else { + if (!SSL_CTX_set_dh_auto(ctx, 1)) { + while ((error = ERR_get_error())) + debug(DBG_WARN, "tlscreatectx: SSL: %s", ERR_error_string(error, NULL)); + debug(DBG_WARN, "tlscreatectx: Failed to set automatic dh params. Can continue, but some ciphers might not be available."); + } + } +#endif + debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name); return ctx; } @@ -935,6 +949,20 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v #endif if (dhfile) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + BIO *bio = BIO_new_file(dhfile, "r"); + if (bio) { + conf->dhparam = EVP_PKEY_new(); + if (!PEM_read_bio_Parameters(bio, &conf->dhparam)) { + BIO_free(bio); + while ((error = ERR_get_error())) + debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); + debug(DBG_ERR, "error in block %s: Failed to load DhFile %s.", val, dhfile); + goto errexit; + } + BIO_free(bio); + } +#else FILE *dhfp = fopen(dhfile, "r"); if (dhfp) { conf->dhparam = PEM_read_DHparams(dhfp, NULL, NULL, NULL); @@ -951,6 +979,7 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v } free(dhfile); dhfile = NULL; +#endif } conf->name = stringcopy(val, 0); @@ -981,7 +1010,11 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v free(tlsversion); free(dtlsversion); free(dhfile); +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + EVP_PKEY_free(conf->dhparam); +#else DH_free(conf->dhparam); +#endif free(conf); return 0; } diff --git a/tlscommon.h b/tlscommon.h index 30cf265..0a8d203 100644 --- a/tlscommon.h +++ b/tlscommon.h @@ -26,7 +26,11 @@ struct tls { int tlsmaxversion; int dtlsminversion; int dtlsmaxversion; +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + EVP_PKEY* dhparam; +#else DH *dhparam; +#endif uint32_t tlsexpiry; uint32_t dtlsexpiry; X509_VERIFY_PARAM *vpm;