In OpenSSL 3.0 some functions were deprecated and replaced.
This commit adds some #ifdef to build without warning on both
OpenSSL 1.x and OpenSSL 3.x.
For OpenSSL 3.x, the default built-in DH parameters are used (as
suggested by SSL_CTX_set_dh_auto manpage).
Signed-off-by: Timothy Redaelli <tredae...@redhat.com>
---
build-aux/generate-dhparams-c | 2 ++
lib/dhparams.c | 2 ++
lib/stream-ssl.c | 12 ++++++++++++
3 files changed, 16 insertions(+)
diff --git a/build-aux/generate-dhparams-c b/build-aux/generate-dhparams-c
index a80db6207..aca1dbca9 100755
--- a/build-aux/generate-dhparams-c
+++ b/build-aux/generate-dhparams-c
@@ -78,6 +78,7 @@ cat <<'EOF'
#include "lib/dhparams.h"
#include "openvswitch/util.h"
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
static int
my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
{
@@ -93,3 +94,4 @@ my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q
OVS_UNUSED, BIGNUM *g)
EOF
dhparam_to_c lib/dh2048.pem
dhparam_to_c lib/dh4096.pem
+echo "#endif"
diff --git a/lib/dhparams.c b/lib/dhparams.c
index 85123863f..50209d5d8 100644
--- a/lib/dhparams.c
+++ b/lib/dhparams.c
@@ -6,6 +6,7 @@
#include "lib/dhparams.h"
#include "openvswitch/util.h"
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
static int
my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
{
@@ -142,3 +143,4 @@ DH *get_dh4096(void)
}
return dh;
}
+#endif
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index f4fe3432e..62da9febb 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -193,7 +193,9 @@ static void ssl_clear_txbuf(struct ssl_stream *);
static void interpret_queued_ssl_error(const char *function);
static int interpret_ssl_error(const char *function, int ret, int error,
int *want);
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength);
+#endif
static void log_ca_cert(const char *file_name, X509 *cert);
static void stream_ssl_set_ca_cert_file__(const char *file_name,
bool bootstrap, bool force);
@@ -471,7 +473,11 @@ static char *
get_peer_common_name(const struct ssl_stream *sslv)
{
char *peer_name = NULL;
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
X509 *peer_cert = SSL_get_peer_certificate(sslv->ssl);
+#else
+ X509 *peer_cert = SSL_get1_peer_certificate(sslv->ssl);
+#endif
if (!peer_cert) {
return NULL;
}
@@ -1070,7 +1076,11 @@ do_ssl_init(void)
return ENOPROTOOPT;
}
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
+#else
+ SSL_CTX_set_dh_auto(ctx, 1);
+#endif
SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
@@ -1081,6 +1091,7 @@ do_ssl_init(void)
return 0;
}
+#if OPENSSL_VERSION_NUMBER < 0x3000000fL
static DH *
tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength)
{
@@ -1112,6 +1123,7 @@ tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export
OVS_UNUSED, int keylength)
keylength);
return NULL;
}
+#endif
/* Returns true if SSL is at least partially configured. */
bool
--
2.37.3
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
