commit 17b6f3bbc6d47efda36fed8387474f66a2528b3f
parent 6ccae503ae8fc179d9bd1f997efded500c63084b
Author: Joris Vink <joris@coders.se>
Date: Wed, 28 Dec 2022 11:09:15 +0100
Disable deprecated warnings for OpenSSL 3.
Until the replacement is done, make sure Kore builds against OpenSSL 3
so it can be used as most distros made the move towards it.
Diffstat:
3 files changed, 52 insertions(+), 101 deletions(-)
diff --git a/src/cli.c b/src/cli.c
@@ -43,6 +43,24 @@
#include <unistd.h>
#include <utime.h>
+/*
+ * Turn off deprecated function warnings when building against OpenSSL 3.
+ *
+ * The OpenSSL 3 library deprecated most low-level functions in favour
+ * for their higher level APIs.
+ *
+ * I am planning a replacement, but for now we can still make it build
+ * and function by ignoring these warnings completely.
+ *
+ * The functions in question are:
+ * - SHA256_Init, SHA256_Update, SHA256_Final
+ * - RSA_new, RSA_generate_key_ex
+ * - EVP_PKEY_assign
+ */
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#endif
+
#define errno_s strerror(errno)
#define ssl_errno_s ERR_error_string(ERR_get_error(), NULL)
diff --git a/src/keymgr_openssl.c b/src/keymgr_openssl.c
@@ -63,6 +63,16 @@
#include "acme.h"
#endif
+/*
+ * Disable deprecated declaration warnings if we're building against
+ * OpenSSL 3 as they marked all low-level APIs as deprecated.
+ *
+ * Work is being done to replace these, but for now let things build.
+ */
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#endif
+
#define RAND_TMP_FILE "rnd.tmp"
#define RAND_POLL_INTERVAL (1800 * 1000)
#define RAND_FILE_SIZE 1024
@@ -168,10 +178,11 @@ struct key {
TAILQ_ENTRY(key) list;
};
-char *kore_rand_file = NULL;
-
-static TAILQ_HEAD(, key) keys;
-static int initialized = 0;
+/* Helper for weird API designs (looking at you OpenSSL). */
+union deconst {
+ void *p;
+ const void *cp;
+};
#if defined(KORE_USE_ACME)
@@ -251,8 +262,6 @@ static void keymgr_x509_msg(const char *, const void *, size_t, int, int);
static void keymgr_rsa_encrypt(struct kore_msg *, const void *,
struct key *);
-static void keymgr_ecdsa_sign(struct kore_msg *, const void *,
- struct key *);
#if defined(__OpenBSD__)
#if defined(KORE_USE_ACME)
@@ -262,6 +271,11 @@ static const char *keymgr_pledges = "stdio rpath";
#endif
#endif
+static TAILQ_HEAD(, key) keys;
+static int initialized = 0;
+
+char *kore_rand_file = NULL;
+
void
kore_keymgr_run(void)
{
@@ -658,9 +672,6 @@ keymgr_msg_recv(struct kore_msg *msg, const void *data)
case EVP_PKEY_RSA:
keymgr_rsa_encrypt(msg, data, key);
break;
- case EVP_PKEY_EC:
- keymgr_ecdsa_sign(msg, data, key);
- break;
default:
break;
}
@@ -685,6 +696,7 @@ keymgr_msg_recv(struct kore_msg *msg, const void *data)
static void
keymgr_rsa_encrypt(struct kore_msg *msg, const void *data, struct key *key)
{
+ union deconst cp;
int ret;
RSA *rsa;
const struct kore_keyreq *req;
@@ -692,7 +704,9 @@ keymgr_rsa_encrypt(struct kore_msg *msg, const void *data, struct key *key)
u_int8_t buf[1024];
req = (const struct kore_keyreq *)data;
- rsa = EVP_PKEY_get0_RSA(key->pkey);
+ cp.cp = EVP_PKEY_get0_RSA(key->pkey);
+
+ rsa = cp.p;
keylen = RSA_size(rsa);
if (req->data_len > keylen || keylen > sizeof(buf))
@@ -707,32 +721,6 @@ keymgr_rsa_encrypt(struct kore_msg *msg, const void *data, struct key *key)
}
static void
-keymgr_ecdsa_sign(struct kore_msg *msg, const void *data, struct key *key)
-{
- size_t len;
- EC_KEY *ec;
- const struct kore_keyreq *req;
- unsigned int siglen;
- u_int8_t sig[1024];
-
- req = (const struct kore_keyreq *)data;
- ec = EVP_PKEY_get0_EC_KEY(key->pkey);
-
- len = ECDSA_size(ec);
- if (req->data_len > len || len > sizeof(sig))
- return;
-
- if (ECDSA_sign(EVP_PKEY_NONE, req->data, req->data_len,
- sig, &siglen, ec) == 0)
- return;
-
- if (siglen > sizeof(sig))
- return;
-
- kore_msg_send(msg->src, KORE_MSG_KEYMGR_RESP, sig, siglen);
-}
-
-static void
keymgr_x509_msg(const char *domain, const void *data, size_t len,
int target, int msg)
{
diff --git a/src/tls_openssl.c b/src/tls_openssl.c
@@ -36,6 +36,16 @@
#include "kore.h"
#include "http.h"
+/*
+ * Disable deprecated declaration warnings if we're building against
+ * OpenSSL 3 as they marked all low-level APIs as deprecated.
+ *
+ * Work is being done to replace these, but for now let things build.
+ */
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#endif
+
#define TLS_SESSION_ID "kore_tls_sessionid"
static int tls_domain_x509_verify(int, X509_STORE_CTX *);
@@ -59,11 +69,7 @@ static int tls_keymgr_rsa_finish(RSA *);
static int tls_keymgr_rsa_privenc(int, const unsigned char *,
unsigned char *, RSA *, int);
-static ECDSA_SIG *tls_keymgr_ecdsa_sign(const unsigned char *, int,
- const BIGNUM *, const BIGNUM *, EC_KEY *);
-
static RSA_METHOD *keymgr_rsa_meth = NULL;
-static EC_KEY_METHOD *keymgr_ec_meth = NULL;
static DH *dh_params = NULL;
static int tls_version = KORE_TLS_VERSION_BOTH;
@@ -102,12 +108,6 @@ kore_tls_init(void)
RSA_meth_set_finish(keymgr_rsa_meth, tls_keymgr_rsa_finish);
RSA_meth_set_priv_enc(keymgr_rsa_meth, tls_keymgr_rsa_privenc);
- if ((keymgr_ec_meth = EC_KEY_METHOD_new(NULL)) == NULL)
- fatal("failed to allocate EC KEY method");
-
- EC_KEY_METHOD_set_sign(keymgr_ec_meth,
- NULL, NULL, tls_keymgr_ecdsa_sign);
-
kore_log(LOG_NOTICE, "TLS backend %s", OPENSSL_VERSION_TEXT);
#if !defined(TLS1_3_VERSION)
if (!kore_quiet) {
@@ -122,7 +122,6 @@ void
kore_tls_cleanup(void)
{
RSA_meth_free(keymgr_rsa_meth);
- EC_KEY_METHOD_free(keymgr_ec_meth);
}
void
@@ -204,7 +203,6 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
X509 *x509;
EVP_PKEY *pkey;
STACK_OF(X509_NAME) *certs;
- EC_KEY *eckey;
const SSL_METHOD *method;
if (dom->tls_ctx != NULL)
@@ -285,12 +283,6 @@ kore_tls_domain_setup(struct kore_domain *dom, int type,
RSA_set_app_data(rsa, dom);
RSA_set_method(rsa, keymgr_rsa_meth);
break;
- case EVP_PKEY_EC:
- if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL)
- fatalx("no EC public key present");
- EC_KEY_set_ex_data(eckey, 0, dom);
- EC_KEY_set_method(eckey, keymgr_ec_meth);
- break;
default:
fatalx("unknown public key in certificate");
}
@@ -934,53 +926,6 @@ tls_keymgr_rsa_finish(RSA *rsa)
return (1);
}
-static ECDSA_SIG *
-tls_keymgr_ecdsa_sign(const unsigned char *dgst, int dgst_len,
- const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)
-{
- size_t len;
- ECDSA_SIG *sig;
- const u_int8_t *ptr;
- struct kore_domain *dom;
- struct kore_keyreq *req;
-
- if (in_kinv != NULL || in_r != NULL)
- return (NULL);
-
- len = sizeof(*req) + dgst_len;
- if (len > sizeof(keymgr_buf))
- fatal("keymgr_buf too small");
-
- if ((dom = EC_KEY_get_ex_data(eckey, 0)) == NULL)
- fatal("EC_KEY has no domain");
-
- memset(keymgr_buf, 0, sizeof(keymgr_buf));
- req = (struct kore_keyreq *)keymgr_buf;
-
- if (kore_strlcpy(req->domain, dom->domain, sizeof(req->domain)) >=
- sizeof(req->domain))
- fatal("%s: domain truncated", __func__);
-
- req->data_len = dgst_len;
- memcpy(&req->data[0], dgst, req->data_len);
-
- kore_msg_send(KORE_WORKER_KEYMGR, KORE_MSG_KEYMGR_REQ, keymgr_buf, len);
- tls_keymgr_await_data();
-
- if (keymgr_response) {
- ptr = keymgr_buf;
- sig = d2i_ECDSA_SIG(NULL, &ptr, keymgr_buflen);
- } else {
- sig = NULL;
- }
-
- keymgr_buflen = 0;
- keymgr_response = 0;
- kore_platform_event_all(worker->msg[1]->fd, worker->msg[1]);
-
- return (sig);
-}
-
static void
tls_keymgr_await_data(void)
{
