diff --git a/build/linux/opengauss/build.sh b/build/linux/opengauss/build.sh index 04ffeff0066ff84baa59e6bed2899dab84204863..6ecd3d57be872c76ad384b28d4468ce5547f899c 100644 --- a/build/linux/opengauss/build.sh +++ b/build/linux/opengauss/build.sh @@ -114,26 +114,18 @@ export PATH=$GCC_PATH/gcc/bin:$PATH export CBB_LIBRARYS=$(pwd)/../../../library [ -d "${CBB_LIBRARYS}/huawei_security" ] && rm -rf ${CBB_LIBRARYS}/huawei_security -[ -d "${CBB_LIBRARYS}/openssl" ] && rm -rf ${CBB_LIBRARYS}/openssl [ -d "${CBB_LIBRARYS}/zlib" ] && rm -rf ${CBB_LIBRARYS}/zlib -[ -d "${CBB_LIBRARYS}/lz4" ] && rm -rf ${CBB_LIBRARYS}/lz4 mkdir -p $CBB_LIBRARYS/huawei_security -mkdir -p $CBB_LIBRARYS/openssl mkdir -p $CBB_LIBRARYS/zlib -mkdir -p $CBB_LIBRARYS/lz4 export LIB_PATH=$binarylib_dir/kernel/dependency export P_LIB_PATH=$binarylib_dir/kernel/platform cp -r $P_LIB_PATH/Huawei_Secure_C/comm/lib $CBB_LIBRARYS/huawei_security/lib -cp -r $LIB_PATH/openssl/comm/lib $CBB_LIBRARYS/openssl/lib cp -r $LIB_PATH/zlib1.2.11/comm/lib $CBB_LIBRARYS/zlib/lib -cp -r $LIB_PATH/lz4/comm/lib $CBB_LIBRARYS/lz4/lib cp -r $P_LIB_PATH/Huawei_Secure_C/comm/include $CBB_LIBRARYS/huawei_security/include -cp -r $LIB_PATH/openssl/comm/include $CBB_LIBRARYS/openssl/include cp -r $LIB_PATH/zlib1.2.11/comm/include $CBB_LIBRARYS/zlib/include -cp -r $LIB_PATH/lz4/comm/include $CBB_LIBRARYS/lz4/include cd $PACKAGE if [ "$build_tool"x == "cmake"x ];then diff --git a/src/cm_protocol/cs_ssl.c b/src/cm_protocol/cs_ssl.c index 7720b19ada3bafec7ab151171a6e42f9af909d8d..0e68cbcc8bdea1a43bd115473fc2c41cf5f8a138 100644 --- a/src/cm_protocol/cs_ssl.c +++ b/src/cm_protocol/cs_ssl.c @@ -29,6 +29,10 @@ #include "cm_signal.h" #include "cm_file.h" #include "openssl/x509v3.h" +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#endif #include "cm_date.h" #include "cm_utils.h" @@ -147,11 +151,19 @@ static const char *cs_ssl_last_err_string(char *buf, uint32 size) ulong err = ERR_get_error(); if (err) { +#if OPENSSL_VERSION_NUMBER < 0x30000000L const char *fstr = ERR_func_error_string(err); +#endif const char *rstr = ERR_reason_error_string(err); +#if OPENSSL_VERSION_NUMBER < 0x30000000L if (snprintf_s(buf, size, size - 1, "error code = %lu, reason code = %d, ssl function = %s:%s ", err, - ERR_GET_REASON(err), (fstr ? fstr : ""), (rstr ? rstr : "")) == -1) { + ERR_GET_REASON(err), (fstr ? fstr : ""), (rstr ? rstr : "")) == -1) +#else + if (snprintf_s(buf, size, size - 1, "error code = %lu, reason code = %d, ssl function = %s ", err, + ERR_GET_REASON(err), (rstr ? rstr : "")) == -1) +#endif + { return buf; } } else { @@ -558,6 +570,7 @@ static unsigned char g_dh3072_g[] = { }; /* function to generate DH key pair */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L static DH *get_dh3072(void) { DH *dh; @@ -571,15 +584,80 @@ static DH *get_dh3072(void) p = BN_bin2bn(g_dh3072_p, sizeof(g_dh3072_p), NULL); g = BN_bin2bn(g_dh3072_g, sizeof(g_dh3072_g), NULL); - if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) { + if ((p == NULL) || (g == NULL)) { DH_free(dh); BN_free(p); BN_free(g); return NULL; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!DH_set0_pqg(dh, p, NULL, g)) { + DH_free(dh); + BN_free(p); + BN_free(g); + return NULL; + } +#else + dh->p = p; + dh->g = g; +#endif + return dh; } +#else +static EVP_PKEY *get_dh3072(void) { + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (!ctx) { + return NULL; + } + + EVP_PKEY *pkey = NULL; + BIGNUM *p = NULL; + BIGNUM *g = NULL; + OSSL_PARAM *params = NULL; + OSSL_PARAM_BLD *param_bld = NULL; + + do { + p = BN_bin2bn(g_dh3072_p, sizeof(g_dh3072_p), NULL); + g = BN_bin2bn(g_dh3072_g, sizeof(g_dh3072_g), NULL); + if (!p || !g) { + break; + } + + if (EVP_PKEY_fromdata_init(ctx) <= 0) { + break; + } + + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + break; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) || + !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g)) { + break; + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + break; + } + + if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) { + break; + } + } while(0); + + if(param_bld) OSSL_PARAM_BLD_free(param_bld); + if(params) OSSL_PARAM_free(params); + if(p) BN_free(p); + if(g) BN_free(g); + if(ctx) EVP_PKEY_CTX_free(ctx); + + return pkey; +} +#endif /** * Callback function for get PEM info for SSL, add thread lock protect call for 'PEM_def_callback'. @@ -610,11 +688,18 @@ static status_t cs_ssl_init(void) return CM_SUCCESS; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L if (OPENSSL_init_ssl(OPENSSL_INIT_SSL_DEFAULT, NULL) == 0) { cm_spin_unlock(&g_ssl_init_lock); CM_THROW_ERROR(ERR_SSL_INIT_FAILED, "Init SSL library failed"); return CM_ERROR; } +#else + SSL_library_init(); + SSL_load_error_strings(); + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); +#endif g_ssl_initialized = CM_TRUE; cm_spin_unlock(&g_ssl_init_lock); @@ -785,9 +870,15 @@ static status_t cs_ssl_set_cipher(SSL_CTX *ctx, const ssl_config_t *config, bool return CM_ERROR; } +#if OPENSSL_VERSION_NUMBER >= 0x10101000L if (tls13_cipher_str != NULL && SSL_CTX_set_ciphersuites(ctx, tls13_cipher_str) != 1) { return CM_ERROR; } +#else + if (SSL_CTX_set_cipher_list(ctx, tls13_cipher_str) != 1) { + return CM_ERROR; + } +#endif return CM_SUCCESS; } @@ -862,7 +953,11 @@ static status_t cs_load_crl_file(SSL_CTX *ctx, const char *file) (void)BIO_free(in); return CM_ERROR; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L + const ASN1_TIME *next_update = X509_CRL_get_nextUpdate(crl); +#else const ASN1_TIME *next_update = X509_CRL_get0_nextUpdate(crl); +#endif if (X509_cmp_current_time(next_update) <= 0) { LOG_RUN_WAR("The ssl crl file is expired, jump load crl"); X509_CRL_free(crl); @@ -928,15 +1023,26 @@ void cs_ssl_throw_error(int32 ssl_err) ulong ret_code; const char *file = NULL; const char *data = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + const char *func = NULL; +#endif int32 line = 0; int32 flags = 0; int32 ret; /* try get line data from ssl error queue */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L while ((ret_code = ERR_get_error_line_data(&file, &line, &data, &flags))) { ret = snprintf_s(err_buf1 + err_len, CM_MESSAGE_BUFFER_SIZE - err_len, CM_MESSAGE_BUFFER_SIZE - 1 - err_len, "OpenSSL:%s-%s-%d-%s", ERR_error_string(ret_code, err_buf2), file, line, ((uint32)flags & ERR_TXT_STRING) ? data : ""); +#else + while ((ret_code = ERR_get_error_all(&file, &line, &func, &data, &flags))) { + ret = snprintf_s(err_buf1 + err_len, CM_MESSAGE_BUFFER_SIZE - err_len, CM_MESSAGE_BUFFER_SIZE - 1 - err_len, + "OpenSSL:%s-%s-%s-%d-%s", ERR_error_string(ret_code, err_buf2), file, line, func, + ((uint32)flags & ERR_TXT_STRING) ? data : ""); +#endif + if (ret == -1) { continue; } @@ -1099,6 +1205,7 @@ static status_t cs_ssl_set_cert_auth(SSL_CTX *ctx, const char *cert_file, const return CM_SUCCESS; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L static status_t cs_ssl_set_tmp_dh(SSL_CTX *ctx) { DH *dh = get_dh3072(); @@ -1114,6 +1221,22 @@ static status_t cs_ssl_set_tmp_dh(SSL_CTX *ctx) DH_free(dh); return CM_SUCCESS; } +#else +static status_t cs_ssl_set_tmp_dh(SSL_CTX *ctx) +{ + EVP_PKEY *dh_pkey = get_dh3072(); + if (dh_pkey == NULL) { + return CM_ERROR; + } + + if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dh_pkey)) { + EVP_PKEY_free(dh_pkey); + return CM_ERROR; + } + + return CM_SUCCESS; +} +#endif static bool32 ssl_check_is_gmtls(ssl_config_t *config) { @@ -1168,15 +1291,15 @@ static SSL_CTX *cs_ssl_create_context(ssl_config_t *config, bool32 is_client) /* Negotiate highest available SSL/TLS version */ #ifndef DISABLE_GMTLS - if(!ssl_check_is_gmtls(config)) { - method = is_client ? TLS_client_method() : TLS_server_method(); + if (!ssl_check_is_gmtls(config)) { + method = is_client ? SSLv23_client_method() : SSLv23_server_method(); LOG_RUN_INF("[MES] use tls method"); } else { method = is_client ? GMTLS_client_method() : GMTLS_server_method(); LOG_RUN_INF("[MES] use gmtls method"); } #else - method = is_client ? TLS_client_method() : TLS_server_method(); + method = is_client ? SSLv23_client_method() : SSLv23_server_method(); LOG_RUN_INF("[MES] use tls method"); #endif @@ -1193,7 +1316,8 @@ static SSL_CTX *cs_ssl_create_context(ssl_config_t *config, bool32 is_client) } /* disable SSLv2, SSLv3, TLSv1.0 and TLSv1.1 */ - (void)SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); + (void)SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); + /* Disable moving-write-buffer sanity check, because it may causes unnecessary failures in non-blocking send cases. @@ -1212,7 +1336,9 @@ static SSL_CTX *cs_ssl_create_context(ssl_config_t *config, bool32 is_client) /* disable TLSv1.3 */ if (!is_using_tls13) { +#ifdef SSL_OP_NO_TLSv1_3 (void)SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); +#endif } /* Support CA file chain */ @@ -1330,14 +1456,15 @@ static int32 ssl_get_expire_day(const ASN1_TIME *ctm, time_t *curr_time) static void ssl_check_cert_expire(X509 *cert, int32 alert_day, cert_type_t type) { - const ASN1_TIME *not_after = NULL; + ASN1_TIME *not_after = NULL; // Use non-const for OpenSSL 1.0.2k compatibility int32 expire_day; if (cert == NULL) { return; } - not_after = X509_get0_notAfter(cert); + // Use X509_get_notAfter for OpenSSL 1.0.2k compatibility + not_after = X509_get_notAfter(cert); if (X509_cmp_current_time(not_after) <= 0) { LOG_RUN_WAR("[MEC]The %s is expired", type == CERT_TYPE_SERVER_CERT ? "server certificate" : "ca"); } else { @@ -1355,7 +1482,6 @@ void ssl_ca_cert_expire(const ssl_ctx_t *ssl_context, int32 alert_day) SSL_CTX *ctx = SSL_CTX_PTR(ssl_context); X509 *cert = NULL; X509_STORE *cert_store = NULL; - X509_OBJECT *obj = NULL; if (ssl_context == NULL) { return; @@ -1371,16 +1497,49 @@ void ssl_ca_cert_expire(const ssl_ctx_t *ssl_context, int32 alert_day) return; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L STACK_OF(X509_OBJECT) *objects = X509_STORE_get0_objects(cert_store); - for (int i = 0; i < sk_X509_OBJECT_num(objects); i++) { - obj = sk_X509_OBJECT_value(objects, i); - /* only check for CA certificate, no need for CRL */ - if (X509_OBJECT_get_type(obj) == X509_LU_X509) { - cert = X509_OBJECT_get0_X509(obj); + if (objects != NULL) { + for (int i = 0; i < sk_X509_OBJECT_num(objects); i++) { + X509_OBJECT *obj = sk_X509_OBJECT_value(objects, i); + if (X509_OBJECT_get_type(obj) == X509_LU_X509) { + X509 *cert = X509_OBJECT_get0_X509(obj); + ssl_check_cert_expire(cert, alert_day, CERT_TYPE_CA_CERT); + } + } + } +#else + if (cert_store == NULL) { + return; + } + STACK_OF(X509) *certs = sk_X509_new_null(); + if (certs == NULL) { + return; + } + X509_STORE_CTX *store_ctx = X509_STORE_CTX_new(); + if (store_ctx == NULL) { + sk_X509_free(certs); + return; + } + + if (X509_STORE_CTX_init(store_ctx, cert_store, NULL, NULL) != 1) { + X509_STORE_CTX_free(store_ctx); + sk_X509_free(certs); + return; + } + STACK_OF(X509) *chain = X509_STORE_CTX_get1_chain(store_ctx); + if (chain != NULL) { + for (int i = 0; i < sk_X509_num(chain); i++) { + X509 *cert = sk_X509_value(chain, i); ssl_check_cert_expire(cert, alert_day, CERT_TYPE_CA_CERT); } + sk_X509_pop_free(chain, X509_free); } + X509_STORE_CTX_free(store_ctx); + sk_X509_free(certs); +#endif + return; } @@ -1393,7 +1552,11 @@ static status_t ssl_check_crl_expire(X509_CRL *crl, int32 alert_day) return CM_SUCCESS; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L + next_update_time = X509_CRL_get_nextUpdate(crl); +#else next_update_time = X509_CRL_get0_nextUpdate(crl); +#endif if (X509_cmp_current_time(next_update_time) <= 0) { LOG_RUN_WAR("[MEC]The %s is expired","crl"); return CM_ERROR; @@ -1423,6 +1586,18 @@ status_t ssl_crl_expire(const ssl_ctx_t *ssl_context, int32 alert_day) if (crl_store == NULL) { return CM_SUCCESS; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L + STACK_OF(X509_OBJECT) *objects = crl_store->objs; + for (int i = 0; i < sk_X509_OBJECT_num(objects); i++) { + obj = sk_X509_OBJECT_value(objects, i); + if (obj->type == X509_LU_CRL) { + crl = obj->data.crl; + if (ssl_check_crl_expire(crl, alert_day) == CM_ERROR) { + return CM_ERROR; + } + } + } +#else STACK_OF(X509_OBJECT) *objects = X509_STORE_get0_objects(crl_store); for (int i = 0; i < sk_X509_OBJECT_num(objects); i++) { obj = sk_X509_OBJECT_value(objects, i); @@ -1433,6 +1608,7 @@ status_t ssl_crl_expire(const ssl_ctx_t *ssl_context, int32 alert_day) } } } +#endif return CM_SUCCESS; } diff --git a/src/cm_security/cm_cipher.c b/src/cm_security/cm_cipher.c index 7afe4911cc9a68e052785ddc4c66e073f7d61784..da85bfd6e7c9476cca1a561aaf35757fcab8d6e2 100644 --- a/src/cm_security/cm_cipher.c +++ b/src/cm_security/cm_cipher.c @@ -303,12 +303,20 @@ status_t cm_encrypt_pwd(uchar *plain_text, uint32 plain_len, cipher_t *cipher) return CM_ERROR; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L + if (RAND_bytes(cipher->rand, RANDOM_LEN) != 1) { +#else if (RAND_priv_bytes(cipher->rand, RANDOM_LEN) != 1) { +#endif LOG_DEBUG_ERR("cm_encrypt_pwd generate rand key failed"); return CM_ERROR; } - if (RAND_priv_bytes(cipher->salt, RANDOM_LEN) != 1) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L + if (RAND_bytes(cipher->rand, RANDOM_LEN) != 1) { +#else + if (RAND_priv_bytes(cipher->rand, RANDOM_LEN) != 1) { +#endif LOG_DEBUG_ERR("cm_encrypt_pwd generate salt key failed"); return CM_ERROR; } @@ -326,7 +334,11 @@ status_t cm_encrypt_pwd(uchar *plain_text, uint32 plain_len, cipher_t *cipher) LOG_DEBUG_ERR("PKCS5_PBKDF2_HMAC generate the derived key failed, errcode:%d", ret); return CM_ERROR; } - if (RAND_priv_bytes(cipher->IV, RANDOM_LEN) != 1) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L + if (RAND_bytes(cipher->rand, RANDOM_LEN) != 1) { +#else + if (RAND_priv_bytes(cipher->rand, RANDOM_LEN) != 1) { +#endif LOG_DEBUG_ERR("cm_encrypt_pwd generate IV key failed"); return CM_ERROR; } diff --git a/src/cm_security/cm_encrypt.c b/src/cm_security/cm_encrypt.c index be6d71a9528f1650ef607c34420899b34a8bcb51..c758c994317e3884defb947a6fa716d2b506966f 100644 --- a/src/cm_security/cm_encrypt.c +++ b/src/cm_security/cm_encrypt.c @@ -257,7 +257,11 @@ status_t cm_rand(uchar *buf, uint32 len) return CM_ERROR; } - if (RAND_priv_bytes(buf, (int)len) != 1) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L + if (RAND_bytes(buf, len) != 1) { +#else + if (RAND_priv_bytes(buf, len) != 1) { +#endif LOG_DEBUG_ERR("cm_rand generate random failed"); return CM_ERROR; }