mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-22 02:37:15 +00:00
![Pierre Pronchery](/assets/img/avatar_default.png)
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the version we were previously using) will be EOL as of 2023-09-11. Most of the base system has already been updated for a seamless switch to OpenSSL 3.0. For many components we've added `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version, which avoids deprecation warnings from OpenSSL 3.0. Changes have also been made to avoid OpenSSL APIs that were already deprecated in OpenSSL 1.1.1. The process of updating to contemporary APIs can continue after this merge. Additional changes are still required for libarchive and Kerberos- related libraries or tools; workarounds will immediately follow this commit. Fixes are in progress in the upstream projects and will be incorporated when those are next updated. There are some performance regressions in benchmarks (certain tests in `openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy). Investigation will continue for these. Netflix's testing showed no functional regression and a rather small, albeit statistically significant, increase in CPU consumption with OpenSSL 3.0. Thanks to ngie@ and des@ for updating base system components, to antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to Netflix and everyone who tested prior to commit or contributed to this update in other ways. PR: 271615 PR: 271656 [exp-run] Relnotes: Yes Sponsored by: The FreeBSD Foundation
208 lines
5.1 KiB
C
208 lines
5.1 KiB
C
/*
|
|
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
/* We need to use some engine and HMAC deprecated APIs */
|
|
#define OPENSSL_SUPPRESS_DEPRECATED
|
|
|
|
#include <openssl/engine.h>
|
|
#include "ssl_local.h"
|
|
|
|
/*
|
|
* Engine APIs are only used to support applications that still use ENGINEs.
|
|
* Once ENGINE is removed completely, all of this code can also be removed.
|
|
*/
|
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
void tls_engine_finish(ENGINE *e)
|
|
{
|
|
ENGINE_finish(e);
|
|
}
|
|
#endif
|
|
|
|
const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
|
|
{
|
|
const EVP_CIPHER *ret = NULL;
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
ENGINE *eng;
|
|
|
|
/*
|
|
* If there is an Engine available for this cipher we use the "implicit"
|
|
* form to ensure we use that engine later.
|
|
*/
|
|
eng = ENGINE_get_cipher_engine(nid);
|
|
if (eng != NULL) {
|
|
ret = ENGINE_get_cipher(eng, nid);
|
|
ENGINE_finish(eng);
|
|
}
|
|
#endif
|
|
return ret;
|
|
}
|
|
|
|
const EVP_MD *tls_get_digest_from_engine(int nid)
|
|
{
|
|
const EVP_MD *ret = NULL;
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
ENGINE *eng;
|
|
|
|
/*
|
|
* If there is an Engine available for this digest we use the "implicit"
|
|
* form to ensure we use that engine later.
|
|
*/
|
|
eng = ENGINE_get_digest_engine(nid);
|
|
if (eng != NULL) {
|
|
ret = ENGINE_get_digest(eng, nid);
|
|
ENGINE_finish(eng);
|
|
}
|
|
#endif
|
|
return ret;
|
|
}
|
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
int tls_engine_load_ssl_client_cert(SSL *s, X509 **px509, EVP_PKEY **ppkey)
|
|
{
|
|
return ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
|
|
SSL_get_client_CA_list(s),
|
|
px509, ppkey, NULL, NULL, NULL);
|
|
}
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
|
|
{
|
|
if (!ENGINE_init(e)) {
|
|
ERR_raise(ERR_LIB_SSL, ERR_R_ENGINE_LIB);
|
|
return 0;
|
|
}
|
|
if (!ENGINE_get_ssl_client_cert_function(e)) {
|
|
ERR_raise(ERR_LIB_SSL, SSL_R_NO_CLIENT_CERT_METHOD);
|
|
ENGINE_finish(e);
|
|
return 0;
|
|
}
|
|
ctx->client_cert_engine = e;
|
|
return 1;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* The HMAC APIs below are only used to support the deprecated public API
|
|
* macro SSL_CTX_set_tlsext_ticket_key_cb(). The application supplied callback
|
|
* takes an HMAC_CTX in its argument list. The preferred alternative is
|
|
* SSL_CTX_set_tlsext_ticket_key_evp_cb(). Once
|
|
* SSL_CTX_set_tlsext_ticket_key_cb() is removed, then all of this code can also
|
|
* be removed.
|
|
*/
|
|
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
|
int ssl_hmac_old_new(SSL_HMAC *ret)
|
|
{
|
|
ret->old_ctx = HMAC_CTX_new();
|
|
if (ret->old_ctx == NULL)
|
|
return 0;
|
|
|
|
return 1;
|
|
}
|
|
|
|
void ssl_hmac_old_free(SSL_HMAC *ctx)
|
|
{
|
|
HMAC_CTX_free(ctx->old_ctx);
|
|
}
|
|
|
|
int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md)
|
|
{
|
|
return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL);
|
|
}
|
|
|
|
int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)
|
|
{
|
|
return HMAC_Update(ctx->old_ctx, data, len);
|
|
}
|
|
|
|
int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len)
|
|
{
|
|
unsigned int l;
|
|
|
|
if (HMAC_Final(ctx->old_ctx, md, &l) > 0) {
|
|
if (len != NULL)
|
|
*len = l;
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
size_t ssl_hmac_old_size(const SSL_HMAC *ctx)
|
|
{
|
|
return HMAC_size(ctx->old_ctx);
|
|
}
|
|
|
|
HMAC_CTX *ssl_hmac_get0_HMAC_CTX(SSL_HMAC *ctx)
|
|
{
|
|
return ctx->old_ctx;
|
|
}
|
|
|
|
/* Some deprecated public APIs pass DH objects */
|
|
EVP_PKEY *ssl_dh_to_pkey(DH *dh)
|
|
{
|
|
# ifndef OPENSSL_NO_DH
|
|
EVP_PKEY *ret;
|
|
|
|
if (dh == NULL)
|
|
return NULL;
|
|
ret = EVP_PKEY_new();
|
|
if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
|
|
EVP_PKEY_free(ret);
|
|
return NULL;
|
|
}
|
|
return ret;
|
|
# else
|
|
return NULL;
|
|
# endif
|
|
}
|
|
|
|
/* Some deprecated public APIs pass EC_KEY objects */
|
|
int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
|
|
void *key)
|
|
{
|
|
# ifndef OPENSSL_NO_EC
|
|
const EC_GROUP *group = EC_KEY_get0_group((const EC_KEY *)key);
|
|
int nid;
|
|
|
|
if (group == NULL) {
|
|
ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_PARAMETERS);
|
|
return 0;
|
|
}
|
|
nid = EC_GROUP_get_curve_name(group);
|
|
if (nid == NID_undef)
|
|
return 0;
|
|
return tls1_set_groups(pext, pextlen, &nid, 1);
|
|
# else
|
|
return 0;
|
|
# endif
|
|
}
|
|
|
|
/*
|
|
* Set the callback for generating temporary DH keys.
|
|
* ctx: the SSL context.
|
|
* dh: the callback
|
|
*/
|
|
# if !defined(OPENSSL_NO_DH)
|
|
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
|
|
DH *(*dh) (SSL *ssl, int is_export,
|
|
int keylength))
|
|
{
|
|
SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
|
|
}
|
|
|
|
void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
|
|
int keylength))
|
|
{
|
|
SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
|
|
}
|
|
# endif
|
|
#endif /* OPENSSL_NO_DEPRECATED */
|