diff --git a/build/linux/opengauss/build.sh b/build/linux/opengauss/build.sh index f58d5cb8808c72f99fa03d11cf1db33ed0a6c5b5..ca3cd3e6caab1a17dd7224f50875e049602ceaa8 100644 --- a/build/linux/opengauss/build.sh +++ b/build/linux/opengauss/build.sh @@ -111,24 +111,15 @@ export DCF_LIBRARYS=$(pwd)/../../../library [ -d "${DCF_LIBRARYS}" ] && rm -rf ${DCF_LIBRARYS} mkdir -p $DCF_LIBRARYS/huawei_security -mkdir -p $DCF_LIBRARYS/openssl -mkdir -p $DCF_LIBRARYS/lz4 -mkdir -p $DCF_LIBRARYS/zstd mkdir -p $DCF_LIBRARYS/cJSON export LIB_PATH=$binarylib_dir/kernel/dependency/ export P_LIB_PATH=$binarylib_dir/kernel/platform/ cp -r $P_LIB_PATH/Huawei_Secure_C/comm/lib $DCF_LIBRARYS/huawei_security/lib -cp -r $LIB_PATH/openssl/comm/lib $DCF_LIBRARYS/openssl/lib -cp -r $LIB_PATH/zstd/lib $DCF_LIBRARYS/zstd/lib -cp -r $LIB_PATH/lz4/comm/lib $DCF_LIBRARYS/lz4/lib cp -r $LIB_PATH/cjson/comm/lib $DCF_LIBRARYS/cJSON/lib cp -r $P_LIB_PATH/Huawei_Secure_C/comm/include $DCF_LIBRARYS/huawei_security/include -cp -r $LIB_PATH/openssl/comm/include $DCF_LIBRARYS/openssl/include -cp -r $LIB_PATH/zstd/include $DCF_LIBRARYS/zstd/include -cp -r $LIB_PATH/lz4/comm/include $DCF_LIBRARYS/lz4/include cp -r $LIB_PATH/cjson/comm/include/cjson $DCF_LIBRARYS/cJSON/include cd $PACKAGE diff --git a/src/common/cm_security/cm_cipher.c b/src/common/cm_security/cm_cipher.c index 581cbd76a82c5b41adb59ef4515604c22fb2e168..ecdafc5bc1fef2f900ea0fca5b9d6ff10ac74841 100644 --- a/src/common/cm_security/cm_cipher.c +++ b/src/common/cm_security/cm_cipher.c @@ -236,6 +236,7 @@ status_t cm_encrypt_pwd(uchar *plain_text, uint32 plain_len, cipher_t *cipher) return CM_ERROR; } +#if OPENSSL_VERSION_NUMBER >= 0x10101000L if (RAND_priv_bytes(cipher->rand, RANDOM_LEN) != 1) { LOG_DEBUG_ERR("cm_encrypt_pwd generate rand key failed"); return CM_ERROR; @@ -245,6 +246,16 @@ status_t cm_encrypt_pwd(uchar *plain_text, uint32 plain_len, cipher_t *cipher) LOG_DEBUG_ERR("cm_encrypt_pwd generate salt key failed"); return CM_ERROR; } +#else + if (RAND_bytes(cipher->rand, RANDOM_LEN) != 1) { + LOG_DEBUG_ERR("cm_encrypt_pwd generate rand key failed"); + return CM_ERROR; + } + if (RAND_bytes(cipher->salt, RANDOM_LEN) != 1) { + LOG_DEBUG_ERR("cm_encrypt_pwd generate salt key failed"); + return CM_ERROR; + } +#endif uchar key[RANDOM_LEN] = { 0 }; /* use PKCS5 HMAC sha256 to dump the key for encryption */ @@ -254,10 +265,17 @@ status_t cm_encrypt_pwd(uchar *plain_text, uint32 plain_len, cipher_t *cipher) LOG_DEBUG_ERR("PKCS5_PBKDF2_HMAC generate the derived key failed, errcode:%d", ret); return CM_ERROR; } +#if OPENSSL_VERSION_NUMBER >= 0x10101000L if (RAND_priv_bytes(cipher->IV, RANDOM_LEN) != 1) { LOG_DEBUG_ERR("cm_encrypt_pwd generate IV key failed"); return CM_ERROR; } +#else + if (RAND_bytes(cipher->IV, RANDOM_LEN) != 1) { + LOG_DEBUG_ERR("cm_encrypt_pwd generate IV key failed"); + return CM_ERROR; + } +#endif if (CRYPT_encrypt(NID_aes_128_cbc, key, RANDOM_LEN, plain_text, plain_len, cipher) != CM_SUCCESS) { return CM_ERROR; @@ -292,10 +310,17 @@ status_t cm_rand(uchar *buf, uint32 len) return CM_ERROR; } +#if OPENSSL_VERSION_NUMBER >= 0x10101000L if (RAND_priv_bytes(buf, (int)len) != 1) { LOG_DEBUG_ERR("cm_rand generate random failed"); return CM_ERROR; } +#else + if (RAND_bytes(buf, (int)len) != 1) { + LOG_DEBUG_ERR("cm_rand generate random failed"); + return CM_ERROR; + } +#endif return CM_SUCCESS; } \ No newline at end of file diff --git a/src/network/protocol/cs_ssl.c b/src/network/protocol/cs_ssl.c index f43915c55e039a2824640a53f53aec459d893c60..50307cd8f6b311be3f16fa50397ee2de6874d9fb 100644 --- a/src/network/protocol/cs_ssl.c +++ b/src/network/protocol/cs_ssl.c @@ -561,12 +561,23 @@ static DH *get_dh3072(void) p = BN_bin2bn(g_dh3072_p, sizeof(g_dh3072_p), NULL); g = BN_bin2bn(g_dh3072_g, sizeof(g_dh3072_g), NULL); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) { DH_free(dh); BN_free(p); BN_free(g); return NULL; } +#else + if ((p == NULL) || (g == NULL)) { + DH_free(dh); + BN_free(p); + BN_free(g); + return NULL; + } + dh->p = p; + dh->g = g; +#endif return dh; } @@ -600,11 +611,18 @@ static status_t cs_ssl_init() return CM_SUCCESS; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L if (OPENSSL_init_ssl(OPENSSL_INIT_SSL_DEFAULT, NULL) == 0) { cm_spin_unlock(&g_ssl_init_lock); CM_THROW_ERROR(ERR_SSL_INIT_FAILED, "Init SSL library failed"); return CM_ERROR; } +#else + SSL_library_init(); + SSL_load_error_strings(); + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); +#endif g_ssl_initialized = CM_TRUE; cm_spin_unlock(&g_ssl_init_lock); @@ -775,9 +793,15 @@ static status_t cs_ssl_set_cipher(SSL_CTX *ctx, ssl_config_t *config, bool32* is return CM_ERROR; } +#if OPENSSL_VERSION_NUMBER >= 0x10101000L if (tls13_cipher_str != NULL && SSL_CTX_set_ciphersuites(ctx, tls13_cipher_str) != 1) { return CM_ERROR; } +#else + if (tls13_cipher_str != NULL) { + fprintf(stderr, "Warning: TLS 1.3 is not supported in this OpenSSL version.\n"); + } +#endif return CM_SUCCESS; } @@ -1120,7 +1144,11 @@ static SSL_CTX *cs_ssl_create_context(ssl_config_t *config, bool32 is_client) const SSL_METHOD *method = NULL; /* Negotiate highest available SSL/TLS version */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L method = is_client ? TLS_client_method() : TLS_server_method(); +#else + method = is_client ? SSLv23_client_method() : SSLv23_server_method(); +#endif ctx = SSL_CTX_new(method); if (ctx == NULL) { CM_THROW_ERROR(ERR_SSL_INIT_FAILED, cs_ssl_init_err_string(SSL_INITERR_MEMFAIL)); @@ -1134,7 +1162,12 @@ static SSL_CTX *cs_ssl_create_context(ssl_config_t *config, bool32 is_client) } /* disable SSLv2, SSLv3, TLSv1.0 and TLSv1.1 */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L (void)SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); +#else + long options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1; + SSL_CTX_set_options(ctx, options); +#endif /* Disable moving-write-buffer sanity check, because it may causes unnecessary failures in non-blocking send cases. @@ -1152,10 +1185,13 @@ static SSL_CTX *cs_ssl_create_context(ssl_config_t *config, bool32 is_client) } /* disable TLSv1.3 */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L if (!is_using_tls13) { (void)SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); } - +#else + (void)is_using_tls13; +#endif /* Support CA file chain */ if (cs_ssl_set_ca_chain(ctx, config, is_client) != CM_SUCCESS) { CM_SSL_FREE_CTX_AND_RETURN(SSL_INITERR_LOAD_CA, ctx, NULL); @@ -1228,7 +1264,11 @@ void ssl_check_cert_expire(X509 *cert, int32 alert_day, cert_type_t type) return; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L not_after = X509_get0_notAfter(cert); +#else + not_after = X509_get_notAfter(cert); +#endif if (X509_cmp_current_time(not_after) <= 0) { LOG_RUN_WAR("[MEC]The %s is expired", type == CERT_TYPE_SERVER_CERT ? "server certificate" : "ca"); } else { @@ -1261,14 +1301,25 @@ void ssl_ca_cert_expire(const ssl_ctx_t *ssl_context, int32 alert_day) return; } - STACK_OF(X509_OBJECT)* objects = X509_STORE_get0_objects(cert_store); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + STACK_OF(X509_OBJECT) *objects = X509_STORE_get0_objects(cert_store); +#else + STACK_OF(X509_OBJECT) *objects = cert_store->objs; +#endif for (int i = 0; i < sk_X509_OBJECT_num(objects); i++) { obj = sk_X509_OBJECT_value(objects, i); /* only check for CA certificate, no need for CRL */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L if (X509_OBJECT_get_type(obj) == X509_LU_X509) { - cert = X509_OBJECT_get0_X509(obj); + X509 *cert = X509_OBJECT_get0_X509(obj); ssl_check_cert_expire(cert, alert_day, CERT_TYPE_CA_CERT); } +#else + if (obj->type == X509_LU_X509) { + X509 *cert = obj->data.x509; + ssl_check_cert_expire(cert, alert_day, CERT_TYPE_CA_CERT); + } +#endif } return;