In OpenSSL 3.0 some functions were deprecated and replaced. This commit adds some #ifdef to build without warning on both OpenSSL 1.x and OpenSSL 3.x.
For OpenSSL 3.x, the default built-in DH parameters are used (as suggested by SSL_CTX_set_dh_auto manpage). Signed-off-by: Timothy Redaelli <tredae...@redhat.com> --- build-aux/generate-dhparams-c | 2 ++ lib/dhparams.c | 2 ++ lib/stream-ssl.c | 12 ++++++++++++ 3 files changed, 16 insertions(+) diff --git a/build-aux/generate-dhparams-c b/build-aux/generate-dhparams-c index a80db6207..aca1dbca9 100755 --- a/build-aux/generate-dhparams-c +++ b/build-aux/generate-dhparams-c @@ -78,6 +78,7 @@ cat <<'EOF' #include "lib/dhparams.h" #include "openvswitch/util.h" +#if OPENSSL_VERSION_NUMBER < 0x3000000fL static int my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g) { @@ -93,3 +94,4 @@ my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g) EOF dhparam_to_c lib/dh2048.pem dhparam_to_c lib/dh4096.pem +echo "#endif" diff --git a/lib/dhparams.c b/lib/dhparams.c index 85123863f..50209d5d8 100644 --- a/lib/dhparams.c +++ b/lib/dhparams.c @@ -6,6 +6,7 @@ #include "lib/dhparams.h" #include "openvswitch/util.h" +#if OPENSSL_VERSION_NUMBER < 0x3000000fL static int my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g) { @@ -142,3 +143,4 @@ DH *get_dh4096(void) } return dh; } +#endif diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index f4fe3432e..62da9febb 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -193,7 +193,9 @@ static void ssl_clear_txbuf(struct ssl_stream *); static void interpret_queued_ssl_error(const char *function); static int interpret_ssl_error(const char *function, int ret, int error, int *want); +#if OPENSSL_VERSION_NUMBER < 0x3000000fL static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength); +#endif static void log_ca_cert(const char *file_name, X509 *cert); static void stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap, bool force); @@ -471,7 +473,11 @@ static char * get_peer_common_name(const struct ssl_stream *sslv) { char *peer_name = NULL; +#if OPENSSL_VERSION_NUMBER < 0x3000000fL X509 *peer_cert = SSL_get_peer_certificate(sslv->ssl); +#else + X509 *peer_cert = SSL_get1_peer_certificate(sslv->ssl); +#endif if (!peer_cert) { return NULL; } @@ -1070,7 +1076,11 @@ do_ssl_init(void) return ENOPROTOOPT; } SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); +#if OPENSSL_VERSION_NUMBER < 0x3000000fL SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); +#else + SSL_CTX_set_dh_auto(ctx, 1); +#endif SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, @@ -1081,6 +1091,7 @@ do_ssl_init(void) return 0; } +#if OPENSSL_VERSION_NUMBER < 0x3000000fL static DH * tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) { @@ -1112,6 +1123,7 @@ tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) keylength); return NULL; } +#endif /* Returns true if SSL is at least partially configured. */ bool -- 2.37.3 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev