diff --git a/src/network/protocol/cs_ssl.c b/src/network/protocol/cs_ssl.c index f43915c55e039a2824640a53f53aec459d893c60..9605dfd150c9b0581803cbd76110e02b0c371e1d 100644 --- a/src/network/protocol/cs_ssl.c +++ b/src/network/protocol/cs_ssl.c @@ -28,6 +28,10 @@ #include "cm_signal.h" #include "cm_file.h" #include "openssl/x509v3.h" +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#endif #include "cm_date.h" #include "cm_utils.h" @@ -141,11 +145,19 @@ static const char *cs_ssl_last_err_string(char *buf, uint32 size) ulong err = ERR_get_error(); if (err) { +#if OPENSSL_VERSION_NUMBER < 0x30000000L const char *fstr = ERR_func_error_string(err); +#endif const char *rstr = ERR_reason_error_string(err); +#if OPENSSL_VERSION_NUMBER < 0x30000000L if (snprintf_s(buf, size, size - 1, "error code = %lu, reason code = %d, ssl function = %s:%s ", - err, ERR_GET_REASON(err), (fstr ? fstr : ""), (rstr ? rstr : "")) == -1) { + err, ERR_GET_REASON(err), (fstr ? fstr : ""), (rstr ? rstr : "")) == -1) +#else + if (snprintf_s(buf, size, size - 1, "error code = %lu, reason code = %d, ssl function = %s ", + err, ERR_GET_REASON(err), (rstr ? rstr : "")) == -1) +#endif + { return buf; } } @@ -548,6 +560,7 @@ static unsigned char g_dh3072_g[] = { }; /* function to generate DH key pair */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L static DH *get_dh3072(void) { DH *dh; @@ -570,6 +583,59 @@ static DH *get_dh3072(void) return dh; } +#else +static EVP_PKEY *get_dh3072(void) { + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (!ctx) { + return NULL; + } + + EVP_PKEY *pkey = NULL; + BIGNUM *p = NULL; + BIGNUM *g = NULL; + OSSL_PARAM *params = NULL; + OSSL_PARAM_BLD *param_bld = NULL; + + do { + p = BN_bin2bn(g_dh3072_p, sizeof(g_dh3072_p), NULL); + g = BN_bin2bn(g_dh3072_g, sizeof(g_dh3072_g), NULL); + if (!p || !g) { + break; + } + + if (EVP_PKEY_fromdata_init(ctx) <= 0) { + break; + } + + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + break; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) || + !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g)) { + break; + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + break; + } + + if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) { + break; + } + } while(0); + + if(param_bld) OSSL_PARAM_BLD_free(param_bld); + if(params) OSSL_PARAM_free(params); + if(p) BN_free(p); + if(g) BN_free(g); + if(ctx) EVP_PKEY_CTX_free(ctx); + + return pkey; +} +#endif /** * Callback function for get PEM info for SSL, add thread lock protect call for 'PEM_def_callback'. @@ -905,15 +971,25 @@ void cs_ssl_throw_error(int32 ssl_err) ulong ret_code; const char *file = NULL; const char *data = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + const char *func = NULL; +#endif int32 line = 0; int32 flags = 0; int32 ret; /* try get line data from ssl error queue */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L while ((ret_code = ERR_get_error_line_data(&file, &line, &data, &flags))) { ret = snprintf_s(err_buf1 + err_len, CM_MESSAGE_BUFFER_SIZE - err_len, (CM_MESSAGE_BUFFER_SIZE - 1) - err_len, "OpenSSL:%s-%s-%d-%s", ERR_error_string(ret_code, err_buf2), file, line, (flags & ERR_TXT_STRING) ? data : ""); +#else + while ((ret_code = ERR_get_error_all(&file, &line, &func, &data, &flags))) { + ret = snprintf_s(err_buf1 + err_len, CM_MESSAGE_BUFFER_SIZE - err_len, CM_MESSAGE_BUFFER_SIZE - 1 - err_len, + "OpenSSL:%s-%s-%s-%d-%s", + ERR_error_string(ret_code, err_buf2), file, line, func, (flags & ERR_TXT_STRING) ? data : ""); +#endif if (ret == -1) { continue; } @@ -1076,6 +1152,7 @@ static status_t cs_ssl_set_cert_auth(SSL_CTX *ctx, const char *cert_file, const return CM_SUCCESS; } +#if OPENSSL_VERSION_NUMBER < 0x30000000L static status_t cs_ssl_set_tmp_dh(SSL_CTX *ctx) { DH *dh = get_dh3072(); @@ -1091,6 +1168,22 @@ static status_t cs_ssl_set_tmp_dh(SSL_CTX *ctx) DH_free(dh); return CM_SUCCESS; } +#else +static status_t cs_ssl_set_tmp_dh(SSL_CTX *ctx) +{ + EVP_PKEY *dh_pkey = get_dh3072(); + if (dh_pkey == NULL) { + return CM_ERROR; + } + + if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dh_pkey)) { + EVP_PKEY_free(dh_pkey); + return CM_ERROR; + } + + return CM_SUCCESS; +} +#endif /** * create a new ssl context object.