From acfdfb8620c17beb871c6fc135b047fd9dbcb7fe Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 9 Dec 2021 09:54:02 +0100 Subject: [PATCH] openssl: supress warnings about functions deprecated by openssl 3.0 We get warnings for RSA_free(), EC_KEY_free(), EC_KEY_new(), etc. Those functions are now deprecated and we're supposed to use the new "EVP API" that is all the rage in openssl 3.0. With some effort I converted dnssec_rsa_verify_raw() to use the new API. The code is significantly longer and, if anything, less readable. The EC code is more complicated and I assume that the EVP API version will be even more complex. It is possiblet that I'm missing some way to call the new functions in a better way, but the documentation is abysmal, so it's really hard to figure out the best way. Of course there are almost no examples, and the ones that are there are not terribly useful and are also stubs that don't do interesting things, don't implement error handling, or memory cleanup. I'll submit my conversion draft as a separate PR. Maybe somebody who knows openssl better will pick it up and write a proper solution. For now, let's just use the existing code, but suppress the warnings. The new version just came out, so it's unlikely that the deprecated functions will be removed any time soon. Fixes #21666. --- src/resolve/resolved-dns-dnssec.c | 30 ++++++++++++++++++------------ src/shared/openssl-util.h | 2 -- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index b1fe9d13149..738259481d9 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -13,6 +13,14 @@ #include "sort-util.h" #include "string-table.h" +#if PREFER_OPENSSL +# pragma GCC diagnostic push +# pragma GCC diagnostic ignored "-Wdeprecated-declarations" +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(RSA*, RSA_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL); +# pragma GCC diagnostic pop +#endif + #define VERIFY_RRS_MAX 256 #define MAX_KEY_SIZE (32*1024) @@ -88,13 +96,15 @@ static int dnssec_rsa_verify_raw( const void *data, size_t data_size, const void *exponent, size_t exponent_size, const void *modulus, size_t modulus_size) { + int r; #if PREFER_OPENSSL +# pragma GCC diagnostic push +# pragma GCC diagnostic ignored "-Wdeprecated-declarations" _cleanup_(RSA_freep) RSA *rpubkey = NULL; _cleanup_(EVP_PKEY_freep) EVP_PKEY *epubkey = NULL; _cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = NULL; _cleanup_(BN_freep) BIGNUM *e = NULL, *m = NULL; - int r; assert(hash_algorithm); @@ -141,13 +151,11 @@ static int dnssec_rsa_verify_raw( return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Signature verification failed: 0x%lx", ERR_get_error()); - return r; - +# pragma GCC diagnostic pop #else gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL; gcry_mpi_t n = NULL, e = NULL, s = NULL; gcry_error_t ge; - int r; assert(hash_algorithm); @@ -223,9 +231,8 @@ finish: gcry_sexp_release(signature_sexp); if (data_sexp) gcry_sexp_release(data_sexp); - - return r; #endif + return r; } static int dnssec_rsa_verify( @@ -291,15 +298,17 @@ static int dnssec_ecdsa_verify_raw( const void *signature_s, size_t signature_s_size, const void *data, size_t data_size, const void *key, size_t key_size) { + int k; #if PREFER_OPENSSL +# pragma GCC diagnostic push +# pragma GCC diagnostic ignored "-Wdeprecated-declarations" _cleanup_(EC_GROUP_freep) EC_GROUP *ec_group = NULL; _cleanup_(EC_POINT_freep) EC_POINT *p = NULL; _cleanup_(EC_KEY_freep) EC_KEY *eckey = NULL; _cleanup_(BN_CTX_freep) BN_CTX *bctx = NULL; _cleanup_(BN_freep) BIGNUM *r = NULL, *s = NULL; _cleanup_(ECDSA_SIG_freep) ECDSA_SIG *sig = NULL; - int k; assert(hash_algorithm); @@ -354,13 +363,11 @@ static int dnssec_ecdsa_verify_raw( return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Signature verification failed: 0x%lx", ERR_get_error()); - return k; - +# pragma GCC diagnostic pop #else gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL; gcry_mpi_t q = NULL, r = NULL, s = NULL; gcry_error_t ge; - int k; assert(hash_algorithm); @@ -435,9 +442,8 @@ finish: gcry_sexp_release(signature_sexp); if (data_sexp) gcry_sexp_release(data_sexp); - - return k; #endif + return k; } static int dnssec_ecdsa_verify( diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h index d5b18559874..0f82bc1e00e 100644 --- a/src/shared/openssl-util.h +++ b/src/shared/openssl-util.h @@ -17,8 +17,6 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(RSA*, RSA_free, NULL); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_POINT*, EC_POINT_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_GROUP*, EC_GROUP_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIGNUM*, BN_free, NULL); -- 2.39.2