openssl: adapt to functions marked as deprecated since version 3

OpenSSL 3 deprecates SSL_CTX_load_verify_locations and the MD4, DES
functions we use.

Fix the MD4 and SSL_CTX_load_verify_locations warnings.

In configure, detect OpenSSL v3 and if so, inhibit the deprecation
warnings. OpenSSL v3 deprecates the DES functions we use for NTLM and
until we rewrite the code to use non-deprecated functions we better
ignore these warnings as they don't help us.

Closes #5139

diff --git a/configure.ac b/configure.ac
index 973394bce3df8ade04125f1aa2693631935d93a3..31fc8ffb7c1aa646bf9cc1c787269f52e0916e42 100755 (executable)
--- a/configure.ac
+++ b/configure.ac
@@ -1873,6 +1873,31 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
     ],[
       AC_MSG_RESULT([no])
     ])
+
+    AC_MSG_CHECKING([for OpenSSL >= v3])
+    AC_COMPILE_IFELSE([
+      AC_LANG_PROGRAM([[
+#include <openssl/opensslv.h>
+      ]],[[
+        #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+        return 0;
+        #else
+        #error older than 3
+        #endif
+      ]])
+    ],[
+      AC_MSG_RESULT([yes])
+      AC_DEFINE_UNQUOTED(HAVE_OPENSSL3, 1,
+        [Define to 1 if using OpenSSL 3 or later.])
+      dnl OpenSSLv3 marks the DES functions deprecated but we have no
+      dnl replacements (yet) so tell the compiler to not warn for them
+      dnl
+      dnl Ask OpenSSL to suppress the warnings.
+      CPPFLAGS="$CPPFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+      ssl_msg="OpenSSL v3+"
+    ],[
+      AC_MSG_RESULT([no])
+    ])
   fi
 
   if test "$OPENSSL_ENABLED" = "1"; then

diff --git a/lib/md4.c b/lib/md4.c
index 4dab6af7a97434eb6d2d2c898b96302d5259db08..10e6fc5377e133a65729436cd4286ed1bc5dff75 100644 (file)
--- a/lib/md4.c
+++ b/lib/md4.c
@@ -29,6 +29,10 @@
 
 #ifdef USE_OPENSSL
 #include <openssl/opensslconf.h>
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+/* OpenSSL 3.0.0 marks the MD4 functions as deprecated */
+#define OPENSSL_NO_MD4
+#endif
 #endif /* USE_OPENSSL */
 
 #ifdef USE_MBEDTLS

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index ece655133a2dab2dcfb2e44ca6fed6d80c6b6e1f..14bfe35621596774303b315fb9ab0f9f8c556045 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2719,6 +2719,33 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
   }
 #endif
 
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+  /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */
+  if(ssl_cafile) {
+    if(!SSL_CTX_load_verify_file(backend->ctx, ssl_cafile)) {
+      if(verifypeer) {
+        /* Fail if we insist on successfully verifying the server. */
+        failf(data, "error setting certificate file: %s", ssl_cafile);
+        return CURLE_SSL_CACERT_BADFILE;
+      }
+      /* Continue with a warning if no certificate verification is required. */
+      infof(data, "error setting certificate file, continuing anyway\n");
+    }
+    infof(data, "  CAfile: %s\n", ssl_cafile);
+  }
+  if(ssl_capath) {
+    if(!SSL_CTX_load_verify_dir(backend->ctx, ssl_capath)) {
+      if(verifypeer) {
+        /* Fail if we insist on successfully verifying the server. */
+        failf(data, "error setting certificate path: %s", ssl_capath);
+        return CURLE_SSL_CACERT_BADFILE;
+      }
+      /* Continue with a warning if no certificate verification is required. */
+      infof(data, "error setting certificate path, continuing anyway\n");
+    }
+    infof(data, "  CApath: %s\n", ssl_capath);
+  }
+#else
   if(ssl_cafile || ssl_capath) {
     /* tell SSL where to find CA certificates that are used to verify
        the servers certificate. */
@@ -2746,6 +2773,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
           ssl_cafile ? ssl_cafile : "none",
           ssl_capath ? ssl_capath : "none");
   }
+#endif
+
 #ifdef CURL_CA_FALLBACK
   else if(verifypeer) {
     /* verifying the peer without any CA certificates won't