From 08050dc939b0c6deb9433c0d258a533530451b22 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Mon, 17 Jun 2024 12:28:45 +0200 Subject: [PATCH] - Fix #1091: Build fails with OpenSSL >= 3.0 built with OPENSSL_NO_DEPRECATED. --- config.h.in | 3 +++ configure | 31 +++++++++++++++++++++++++++++-- configure.ac | 15 ++++++++++++--- dnstap/dtstream.c | 8 ++++++++ dnstap/unbound-dnstap-socket.c | 8 ++++++++ doc/Changelog | 4 ++++ smallapp/unbound-anchor.c | 4 ++++ smallapp/unbound-control.c | 4 ++++ testcode/petal.c | 2 +- testcode/streamtcp.c | 4 ++++ util/net_help.c | 2 +- 11 files changed, 78 insertions(+), 7 deletions(-) diff --git a/config.h.in b/config.h.in index bc39544c4..2ffb487a5 100644 --- a/config.h.in +++ b/config.h.in @@ -566,6 +566,9 @@ function. */ #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB +/* Define to 1 if you have the `SSL_CTX_set_tmp_ecdh' function. */ +#undef HAVE_SSL_CTX_SET_TMP_ECDH + /* Define to 1 if you have the `SSL_get0_alpn_selected' function. */ #undef HAVE_SSL_GET0_ALPN_SELECTED diff --git a/configure b/configure index eadff0023..d62837be8 100755 --- a/configure +++ b/configure @@ -20656,6 +20656,12 @@ then : printf "%s\n" "#define HAVE_BIO_SET_CALLBACK_EX 1" >>confdefs.h fi +ac_fn_c_check_func "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_func_SSL_CTX_set_tmp_ecdh" +if test "x$ac_cv_func_SSL_CTX_set_tmp_ecdh" = xyes +then : + printf "%s\n" "#define HAVE_SSL_CTX_SET_TMP_ECDH 1" >>confdefs.h + +fi # these check_funcs need -lssl @@ -21190,7 +21196,25 @@ case "$enable_ecdsa" in ;; *) if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then - ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign" + ac_fn_c_check_func "$LINENO" "EVP_PKEY_fromdata" "ac_cv_func_EVP_PKEY_fromdata" +if test "x$ac_cv_func_EVP_PKEY_fromdata" = xyes +then : + + # with EVP_PKEY_fromdata, check if EC is not disabled + ac_fn_check_decl "$LINENO" "OPENSSL_NO_EC" "ac_cv_have_decl_OPENSSL_NO_EC" "$ac_includes_default +#include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_OPENSSL_NO_EC" = xyes +then : + as_fn_error $? "OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5 + +fi + +else $as_nop + + # without EVP_PKEY_fromdata, older openssl, check for support + ac_fn_c_check_func "$LINENO" "ECDSA_sign" "ac_cv_func_ECDSA_sign" if test "x$ac_cv_func_ECDSA_sign" = xyes then : @@ -21198,12 +21222,15 @@ else $as_nop as_fn_error $? "OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5 fi - ac_fn_c_check_func "$LINENO" "SHA384_Init" "ac_cv_func_SHA384_Init" + ac_fn_c_check_func "$LINENO" "SHA384_Init" "ac_cv_func_SHA384_Init" if test "x$ac_cv_func_SHA384_Init" = xyes then : else $as_nop as_fn_error $? "OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa" "$LINENO" 5 +fi + + fi ac_fn_check_decl "$LINENO" "NID_X9_62_prime256v1" "ac_cv_have_decl_NID_X9_62_prime256v1" "$ac_includes_default diff --git a/configure.ac b/configure.ac index 958ace2a8..88c4ff1cc 100644 --- a/configure.ac +++ b/configure.ac @@ -944,7 +944,7 @@ else AC_MSG_RESULT([no]) fi AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex]) +AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex SSL_CTX_set_tmp_ecdh]) # these check_funcs need -lssl BAKLIBS="$LIBS" @@ -1181,8 +1181,17 @@ case "$enable_ecdsa" in ;; *) if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then - AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])]) - AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])]) + AC_CHECK_FUNC(EVP_PKEY_fromdata, [ + # with EVP_PKEY_fromdata, check if EC is not disabled + AC_CHECK_DECL([OPENSSL_NO_EC], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa]) + ], [], [AC_INCLUDES_DEFAULT +#include + ]) + ], [ + # without EVP_PKEY_fromdata, older openssl, check for support + AC_CHECK_FUNC(ECDSA_sign, [], [AC_MSG_ERROR([OpenSSL does not support ECDSA: please upgrade or rerun with --disable-ecdsa])]) + AC_CHECK_FUNC(SHA384_Init, [], [AC_MSG_ERROR([OpenSSL does not support SHA384: please upgrade or rerun with --disable-ecdsa])]) + ]) AC_CHECK_DECLS([NID_X9_62_prime256v1, NID_secp384r1], [], [AC_MSG_ERROR([OpenSSL does not support the ECDSA curves: please upgrade or rerun with --disable-ecdsa])], [AC_INCLUDES_DEFAULT #include ]) diff --git a/dnstap/dtstream.c b/dnstap/dtstream.c index 69c951276..e381def19 100644 --- a/dnstap/dtstream.c +++ b/dnstap/dtstream.c @@ -1322,7 +1322,11 @@ static int dtio_ssl_check_peer(struct dt_io_thread* dtio) if((SSL_get_verify_mode(dtio->ssl)&SSL_VERIFY_PEER)) { /* verification */ if(SSL_get_verify_result(dtio->ssl) == X509_V_OK) { +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(dtio->ssl); +#else X509* x = SSL_get_peer_certificate(dtio->ssl); +#endif if(!x) { verbose(VERB_ALGO, "dnstap io, %s, SSL " "connection failed no certificate", @@ -1347,7 +1351,11 @@ static int dtio_ssl_check_peer(struct dt_io_thread* dtio) #endif X509_free(x); } else { +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(dtio->ssl); +#else X509* x = SSL_get_peer_certificate(dtio->ssl); +#endif if(x) { log_cert(VERB_ALGO, "dnstap io, peer " "certificate", x); diff --git a/dnstap/unbound-dnstap-socket.c b/dnstap/unbound-dnstap-socket.c index 12dac40ee..7772e763d 100644 --- a/dnstap/unbound-dnstap-socket.c +++ b/dnstap/unbound-dnstap-socket.c @@ -916,7 +916,11 @@ static int tap_check_peer(struct tap_data* data) if((SSL_get_verify_mode(data->ssl)&SSL_VERIFY_PEER)) { /* verification */ if(SSL_get_verify_result(data->ssl) == X509_V_OK) { +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(data->ssl); +#else X509* x = SSL_get_peer_certificate(data->ssl); +#endif if(!x) { if(verbosity) log_info("SSL connection %s" " failed no certificate", data->id); @@ -938,7 +942,11 @@ static int tap_check_peer(struct tap_data* data) #endif X509_free(x); } else { +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(data->ssl); +#else X509* x = SSL_get_peer_certificate(data->ssl); +#endif if(x) { if(verbosity) log_cert(VERB_ALGO, "peer certificate", x); diff --git a/doc/Changelog b/doc/Changelog index 6a56754eb..b3092e0b1 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +17 June 2024: Wouter + - Fix #1091: Build fails with OpenSSL >= 3.0 built with + OPENSSL_NO_DEPRECATED. + 7 June 2024: Wouter - Add unit test for validation of repeated use of a DNAME record. diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c index 68e0d010c..aa39dcf0d 100644 --- a/smallapp/unbound-anchor.c +++ b/smallapp/unbound-anchor.c @@ -805,7 +805,11 @@ TLS_initiate(SSL_CTX* sslctx, int fd, const char* urlname, int use_sni) } /* wants to be called again */ } +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + x = SSL_get1_peer_certificate(ssl); +#else x = SSL_get_peer_certificate(ssl); +#endif if(!x) { if(verb) printf("Server presented no peer certificate\n"); SSL_free(ssl); diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index 2a0cd688e..50a465bd5 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -759,7 +759,11 @@ setup_ssl(SSL_CTX* ctx, int fd) /* check authenticity of server */ if(SSL_get_verify_result(ssl) != X509_V_OK) ssl_err("SSL verification failed"); +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + x = SSL_get1_peer_certificate(ssl); +#else x = SSL_get_peer_certificate(ssl); +#endif if(!x) ssl_err("Server presented no peer certificate"); X509_free(x); diff --git a/testcode/petal.c b/testcode/petal.c index 63d3d452e..6d825f1e0 100644 --- a/testcode/petal.c +++ b/testcode/petal.c @@ -256,7 +256,7 @@ setup_ctx(char* key, char* cert) #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO if (!SSL_CTX_set_ecdh_auto(ctx,1)) if(verb>=1) printf("failed to set_ecdh_auto, not enabling ECDHE\n"); -#elif defined(USE_ECDSA) +#elif defined(USE_ECDSA) && defined(HAVE_SSL_CTX_SET_TMP_ECDH) if(1) { EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); if (!ecdh) { diff --git a/testcode/streamtcp.c b/testcode/streamtcp.c index 037bcfd8b..60122c4dd 100644 --- a/testcode/streamtcp.c +++ b/testcode/streamtcp.c @@ -471,7 +471,11 @@ send_em(const char* svr, const char* pp2_client, int udp, int usessl, } } if(1) { +#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE + X509* x = SSL_get1_peer_certificate(ssl); +#else X509* x = SSL_get_peer_certificate(ssl); +#endif if(!x) printf("SSL: no peer certificate\n"); else { X509_print_fp(stdout, x); diff --git a/util/net_help.c b/util/net_help.c index a1bd71865..772333816 100644 --- a/util/net_help.c +++ b/util/net_help.c @@ -1220,7 +1220,7 @@ listen_sslctx_setup_2(void* ctxt) if(!SSL_CTX_set_ecdh_auto(ctx,1)) { log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); } -#elif defined(USE_ECDSA) +#elif defined(USE_ECDSA) && defined(HAVE_SSL_CTX_SET_TMP_ECDH) if(1) { EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); if (!ecdh) { -- 2.47.2