diff options
author | William Marlow <william.marlow@ibm.com> | 2022-06-18 21:43:31 +0100 |
---|---|---|
committer | Azat Khuzhin <azat@libevent.org> | 2022-07-09 23:24:53 +0300 |
commit | 29c420c418aeb497e5e8b7abd45dee39194ca5fc (patch) | |
tree | f2858d903feacf8b5c6322c213ed4ffaaea8090e | |
parent | 20977eae0d67f3b4f02aca2b891391517749b121 (diff) | |
download | libevent-29c420c418aeb497e5e8b7abd45dee39194ca5fc.tar.gz |
Initial OpenSSL 3.0 support
* Don't use deprecated functions when building against OpenSSL 3.0.
* Recognise that OpenSSL 3.0 can signal a dirty shutdown as a protocol.
error in addition to the expected IO error produced by OpenSSL 1.1.1
* Update regress_mbedtls.c for compatibility with OpenSSL 3
-rw-r--r-- | bufferevent_openssl.c | 4 | ||||
-rw-r--r-- | sample/becat.c | 9 | ||||
-rw-r--r-- | sample/le-proxy.c | 5 | ||||
-rw-r--r-- | test/regress_mbedtls.c | 1 | ||||
-rw-r--r-- | test/regress_ssl.c | 9 |
5 files changed, 27 insertions, 1 deletions
diff --git a/bufferevent_openssl.c b/bufferevent_openssl.c index 6ace1e3a..1e851749 100644 --- a/bufferevent_openssl.c +++ b/bufferevent_openssl.c @@ -259,7 +259,9 @@ conn_closed(struct bufferevent_ssl *bev_ssl, int when, int errcode, int ret) bufferevent_ssl_put_error(bev_ssl, errcode); break; case SSL_ERROR_SSL: - /* Protocol error. */ + /* Protocol error; possibly a dirty shutdown. */ + if (ret == 0 && SSL_is_init_finished(bev_ssl->ssl) == 0) + dirty_shutdown = 1; bufferevent_ssl_put_error(bev_ssl, errcode); break; case SSL_ERROR_WANT_X509_LOOKUP: diff --git a/sample/becat.c b/sample/becat.c index 00c5a55e..c6daf90a 100644 --- a/sample/becat.c +++ b/sample/becat.c @@ -188,6 +188,10 @@ static void ssl_ctx_free(struct ssl_context *ssl) static int ssl_load_key(struct ssl_context *ssl) { int err = 1; +#if OPENSSL_VERSION_MAJOR >= 3 + ssl->pkey = EVP_RSA_gen(4096); + err = ssl->pkey == NULL; +#else BIGNUM *bn; RSA *key; @@ -205,6 +209,7 @@ static int ssl_load_key(struct ssl_context *ssl) err = 0; err: BN_free(bn); +#endif return err; } static int ssl_load_cert(struct ssl_context *ssl) @@ -386,8 +391,12 @@ static void be_ssl_errors(struct bufferevent *bev) while ((err = bufferevent_get_openssl_error(bev))) { const char *msg = ERR_reason_error_string(err); const char *lib = ERR_lib_error_string(err); +#if OPENSSL_VERSION_MAJOR >= 3 + error("ssl/err=%d/%s in %s\n", err, msg, lib); +#else const char *func = ERR_func_error_string(err); error("ssl/err=%d/%s in %s %s\n", err, msg, lib, func); +#endif } } static int event_cb_(struct bufferevent *bev, short what, int ssl, int stop) diff --git a/sample/le-proxy.c b/sample/le-proxy.c index d46a5e15..881d3a59 100644 --- a/sample/le-proxy.c +++ b/sample/le-proxy.c @@ -113,10 +113,15 @@ eventcb(struct bufferevent *bev, short what, void *ctx) ERR_reason_error_string(err); const char *lib = (const char*) ERR_lib_error_string(err); +#if OPENSSL_VERSION_MAJOR >= 3 + fprintf(stderr, + "%s in %s\n", msg, lib); +#else const char *func = (const char*) ERR_func_error_string(err); fprintf(stderr, "%s in %s %s\n", msg, lib, func); +#endif } if (errno) perror("connection error"); diff --git a/test/regress_mbedtls.c b/test/regress_mbedtls.c index 6822fece..df152a2f 100644 --- a/test/regress_mbedtls.c +++ b/test/regress_mbedtls.c @@ -48,6 +48,7 @@ #define SSL_renegotiate mbedtls_ssl_renegotiate #define SSL_get_peer_certificate mbedtls_ssl_get_peer_cert +#define SSL_get1_peer_certificate mbedtls_ssl_get_peer_cert #define SSL_new mbedtls_ssl_new #define SSL_use_certificate(a, b) \ do { \ diff --git a/test/regress_ssl.c b/test/regress_ssl.c index 19b29b56..a27f225a 100644 --- a/test/regress_ssl.c +++ b/test/regress_ssl.c @@ -224,7 +224,16 @@ eventcb(struct bufferevent *bev, short what, void *ctx) ++n_connected; ssl = bufferevent_ssl_get_ssl(bev); tt_assert(ssl); +#if OPENSSL_VERSION_MAJOR >= 3 + /* SSL_get1_peer_certificate() means we want + * to increase the reference count on the cert + * and so we will need to free it ourselves later + * when we're done with it. The non-reference count + * increasing version is not available in OpenSSL 1.1.1. */ + peer_cert = SSL_get1_peer_certificate(ssl); +#else peer_cert = SSL_get_peer_certificate(ssl); +#endif if (type & REGRESS_OPENSSL_SERVER) { tt_assert(peer_cert == NULL); } else { |