summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWilliam Marlow <william.marlow@ibm.com>2022-06-18 21:43:31 +0100
committerAzat Khuzhin <azat@libevent.org>2022-07-09 23:24:53 +0300
commit29c420c418aeb497e5e8b7abd45dee39194ca5fc (patch)
treef2858d903feacf8b5c6322c213ed4ffaaea8090e
parent20977eae0d67f3b4f02aca2b891391517749b121 (diff)
downloadlibevent-29c420c418aeb497e5e8b7abd45dee39194ca5fc.tar.gz
Initial OpenSSL 3.0 support
* Don't use deprecated functions when building against OpenSSL 3.0. * Recognise that OpenSSL 3.0 can signal a dirty shutdown as a protocol. error in addition to the expected IO error produced by OpenSSL 1.1.1 * Update regress_mbedtls.c for compatibility with OpenSSL 3
-rw-r--r--bufferevent_openssl.c4
-rw-r--r--sample/becat.c9
-rw-r--r--sample/le-proxy.c5
-rw-r--r--test/regress_mbedtls.c1
-rw-r--r--test/regress_ssl.c9
5 files changed, 27 insertions, 1 deletions
diff --git a/bufferevent_openssl.c b/bufferevent_openssl.c
index 6ace1e3a..1e851749 100644
--- a/bufferevent_openssl.c
+++ b/bufferevent_openssl.c
@@ -259,7 +259,9 @@ conn_closed(struct bufferevent_ssl *bev_ssl, int when, int errcode, int ret)
bufferevent_ssl_put_error(bev_ssl, errcode);
break;
case SSL_ERROR_SSL:
- /* Protocol error. */
+ /* Protocol error; possibly a dirty shutdown. */
+ if (ret == 0 && SSL_is_init_finished(bev_ssl->ssl) == 0)
+ dirty_shutdown = 1;
bufferevent_ssl_put_error(bev_ssl, errcode);
break;
case SSL_ERROR_WANT_X509_LOOKUP:
diff --git a/sample/becat.c b/sample/becat.c
index 00c5a55e..c6daf90a 100644
--- a/sample/becat.c
+++ b/sample/becat.c
@@ -188,6 +188,10 @@ static void ssl_ctx_free(struct ssl_context *ssl)
static int ssl_load_key(struct ssl_context *ssl)
{
int err = 1;
+#if OPENSSL_VERSION_MAJOR >= 3
+ ssl->pkey = EVP_RSA_gen(4096);
+ err = ssl->pkey == NULL;
+#else
BIGNUM *bn;
RSA *key;
@@ -205,6 +209,7 @@ static int ssl_load_key(struct ssl_context *ssl)
err = 0;
err:
BN_free(bn);
+#endif
return err;
}
static int ssl_load_cert(struct ssl_context *ssl)
@@ -386,8 +391,12 @@ static void be_ssl_errors(struct bufferevent *bev)
while ((err = bufferevent_get_openssl_error(bev))) {
const char *msg = ERR_reason_error_string(err);
const char *lib = ERR_lib_error_string(err);
+#if OPENSSL_VERSION_MAJOR >= 3
+ error("ssl/err=%d/%s in %s\n", err, msg, lib);
+#else
const char *func = ERR_func_error_string(err);
error("ssl/err=%d/%s in %s %s\n", err, msg, lib, func);
+#endif
}
}
static int event_cb_(struct bufferevent *bev, short what, int ssl, int stop)
diff --git a/sample/le-proxy.c b/sample/le-proxy.c
index d46a5e15..881d3a59 100644
--- a/sample/le-proxy.c
+++ b/sample/le-proxy.c
@@ -113,10 +113,15 @@ eventcb(struct bufferevent *bev, short what, void *ctx)
ERR_reason_error_string(err);
const char *lib = (const char*)
ERR_lib_error_string(err);
+#if OPENSSL_VERSION_MAJOR >= 3
+ fprintf(stderr,
+ "%s in %s\n", msg, lib);
+#else
const char *func = (const char*)
ERR_func_error_string(err);
fprintf(stderr,
"%s in %s %s\n", msg, lib, func);
+#endif
}
if (errno)
perror("connection error");
diff --git a/test/regress_mbedtls.c b/test/regress_mbedtls.c
index 6822fece..df152a2f 100644
--- a/test/regress_mbedtls.c
+++ b/test/regress_mbedtls.c
@@ -48,6 +48,7 @@
#define SSL_renegotiate mbedtls_ssl_renegotiate
#define SSL_get_peer_certificate mbedtls_ssl_get_peer_cert
+#define SSL_get1_peer_certificate mbedtls_ssl_get_peer_cert
#define SSL_new mbedtls_ssl_new
#define SSL_use_certificate(a, b) \
do { \
diff --git a/test/regress_ssl.c b/test/regress_ssl.c
index 19b29b56..a27f225a 100644
--- a/test/regress_ssl.c
+++ b/test/regress_ssl.c
@@ -224,7 +224,16 @@ eventcb(struct bufferevent *bev, short what, void *ctx)
++n_connected;
ssl = bufferevent_ssl_get_ssl(bev);
tt_assert(ssl);
+#if OPENSSL_VERSION_MAJOR >= 3
+ /* SSL_get1_peer_certificate() means we want
+ * to increase the reference count on the cert
+ * and so we will need to free it ourselves later
+ * when we're done with it. The non-reference count
+ * increasing version is not available in OpenSSL 1.1.1. */
+ peer_cert = SSL_get1_peer_certificate(ssl);
+#else
peer_cert = SSL_get_peer_certificate(ssl);
+#endif
if (type & REGRESS_OPENSSL_SERVER) {
tt_assert(peer_cert == NULL);
} else {