mirror of
https://github.com/warmcat/libwebsockets.git
synced 2025-03-09 00:00:04 +01:00
opensslv3: handle deprecation of EC apis
openssl v3-alpha11 has marked EC_KEY pieces as deprecated... we use it in LWS_WITH_GENCRYPTO but the related RSA etc pieces were already deprecated for that. We use EC_KEY pieces in vhost init... The apis are not removed but deprecated, we should have a way to keep trucking, but as it is the deprecation warning is promoted to an error. Let's add LWS_SUPPRESS_DEPRECATED_API_WARNINGS option off by default. If enabled at cmake, external deprecated api warnings are suppressed. This gives a general workaround for now for opensslv3. In addition, even if you don't do that, let's notice we are on openssl v3 and don't build the EC curve selection stuff, I don't think anyone is actually using it anyway.
This commit is contained in:
parent
599691d233
commit
8e5f8491db
7 changed files with 43 additions and 7 deletions
|
@ -125,6 +125,10 @@
|
|||
"cmake": "-DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/openssl/v3/usr/local/lib64/libssl.a;/usr/local/src/openssl/v3/usr/local/lib64/libcrypto.a\" -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/openssl/v3/usr/local/include/\" -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_GENCRYPTO=0",
|
||||
"platforms": "none,linux-fedora-32/x86_64-amd/gcc"
|
||||
},
|
||||
"default-examples-openssl-v3-gencrypto": {
|
||||
"cmake": "-DLWS_SUPPRESS_DEPRECATED_API_WARNINGS=1 -DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/openssl/v3/usr/local/lib64/libssl.a;/usr/local/src/openssl/v3/usr/local/lib64/libcrypto.a\" -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/openssl/v3/usr/local/include/\" -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_GENCRYPTO=1",
|
||||
"platforms": "none,linux-fedora-32/x86_64-amd/gcc"
|
||||
},
|
||||
"default-examples-boringssl": {
|
||||
"cmake": "cmake .. -DLWS_WITH_BORINGSSL=1 -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/boringssl/include\" -DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/boringssl/build/ssl/libssl.so;/usr/local/src/boringssl/build/crypto/libcrypto.so\" -DLWS_WITH_MINIMAL_EXAMPLES=1",
|
||||
"platforms": "none,linux-fedora-32/x86_64-amd/gcc"
|
||||
|
@ -153,8 +157,9 @@
|
|||
"cmake": "-DLWS_WITH_PLUGINS=1",
|
||||
"platforms": "none,linux-fedora-32/x86_64-amd/gcc,linux-debian-sid/x86-amd/gcc,linux-debian-sid/x86_64-amd/gcc"
|
||||
},
|
||||
# WARN_DEPRECATED disabled for openssl v3 case on windows
|
||||
"lws_system": {
|
||||
"cmake": "-DLWS_WITH_ACME=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 -DCMAKE_BUILD_TYPE=RELEASE -DLWS_WITH_GENCRYPTO=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_NTPCLIENT=1",
|
||||
"cmake": "-DLWS_SUPPRESS_DEPRECATED_API_WARNINGS=1 -DLWS_WITH_ACME=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 -DCMAKE_BUILD_TYPE=RELEASE -DLWS_WITH_GENCRYPTO=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_NTPCLIENT=1",
|
||||
"platforms": "w10/x86_64-amd/msvc, w10/x86_64-amd/noptmsvc"
|
||||
},
|
||||
"secure-streams": {
|
||||
|
|
|
@ -198,6 +198,8 @@ option(LWS_WITH_STATIC "Build the static version of the library" ON)
|
|||
option(LWS_WITH_SHARED "Build the shared version of the library" ON)
|
||||
option(LWS_LINK_TESTAPPS_DYNAMIC "Link the test apps to the shared version of the library. Default is to link statically" OFF)
|
||||
option(LWS_STATIC_PIC "Build the static version of the library with position-independent code" OFF)
|
||||
option(LWS_SUPPRESS_DEPRECATED_API_WARNINGS "Turn off complaints about, eg, openssl deprecated api usage" OFF)
|
||||
|
||||
#
|
||||
# Specific platforms
|
||||
#
|
||||
|
@ -717,6 +719,7 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR COMPILER_IS_CLANG)
|
|||
|
||||
check_c_compiler_flag("-Wignored-qualifiers" LWS_GCC_HAS_IGNORED_QUALIFIERS)
|
||||
check_c_compiler_flag("-Wtype-limits" LWS_GCC_HAS_TYPE_LIMITS)
|
||||
check_c_compiler_flag("-Wno-deprecated-declarations" LWS_GCC_HAS_NO_DEPRECATED_DECLARATIONS)
|
||||
|
||||
if (LWS_GCC_HAS_IGNORED_QUALIFIERS)
|
||||
set(CMAKE_C_FLAGS "-Wignored-qualifiers ${CMAKE_C_FLAGS}" )
|
||||
|
@ -744,6 +747,13 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR COMPILER_IS_CLANG)
|
|||
if ("${DISABLE_WERROR}" STREQUAL "OFF")
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror")
|
||||
endif()
|
||||
|
||||
if (LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
|
||||
set(CMAKE_C_FLAGS "-Wno-deprecated ${CMAKE_C_FLAGS}")
|
||||
if (LWS_GCC_HAS_NO_DEPRECATED_DECLARATIONS)
|
||||
set(CMAKE_C_FLAGS "-Wno-deprecated-declarations ${CMAKE_C_FLAGS}")
|
||||
endif()
|
||||
endif()
|
||||
endif ()
|
||||
|
||||
if ((CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX) AND NOT LWS_WITHOUT_TESTAPPS)
|
||||
|
|
|
@ -37,6 +37,7 @@
|
|||
#cmakedefine LWS_HAVE_BN_bn2binpad
|
||||
#cmakedefine LWS_HAVE_CLOCK_GETTIME
|
||||
#cmakedefine LWS_HAVE_EC_POINT_get_affine_coordinates
|
||||
#cmakedefine LWS_HAVE_EC_KEY_new_by_curve_name
|
||||
#cmakedefine LWS_HAVE_ECDSA_SIG_set0
|
||||
#cmakedefine LWS_HAVE_EVP_MD_CTX_free
|
||||
#cmakedefine LWS_HAVE_EVP_aes_128_wrap
|
||||
|
@ -116,6 +117,7 @@
|
|||
#cmakedefine LWS_SHA1_USE_OPENSSL_NAME
|
||||
#cmakedefine LWS_SSL_CLIENT_USE_OS_CA_CERTS
|
||||
#cmakedefine LWS_SSL_SERVER_WITH_ECDH_CERT
|
||||
#cmakedefine LWS_SUPPRESS_DEPRECATED_API_WARNINGS
|
||||
#cmakedefine LWS_TLS_LOG_PLAINTEXT_RX
|
||||
#cmakedefine LWS_TLS_LOG_PLAINTEXT_TX
|
||||
#cmakedefine LWS_WITH_ABSTRACT
|
||||
|
|
|
@ -41,6 +41,10 @@ extern "C" {
|
|||
|
||||
#include "lws_config.h"
|
||||
|
||||
#if defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
|
||||
#define OPENSSL_USE_DEPRECATED
|
||||
#endif
|
||||
|
||||
/* place for one-shot opaque forward references */
|
||||
|
||||
typedef struct lws_context * lws_ctx_t;
|
||||
|
|
|
@ -307,6 +307,9 @@ CHECK_FUNCTION_EXISTS(${VARIA}HMAC_CTX_new LWS_HAVE_HMAC_CTX_new PARENT_SCOPE)
|
|||
CHECK_SYMBOL_EXISTS(${VARIA}SSL_CTX_set_ciphersuites LWS_HAVE_SSL_CTX_set_ciphersuites PARENT_SCOPE)
|
||||
CHECK_FUNCTION_EXISTS(${VARIA}EVP_PKEY_new_raw_private_key LWS_HAVE_EVP_PKEY_new_raw_private_key PARENT_SCOPE)
|
||||
|
||||
# deprecated in openssl v3
|
||||
CHECK_FUNCTION_EXISTS(${VARIA}EC_KEY_new_by_curve_name LWS_HAVE_EC_KEY_new_by_curve_name PARENT_SCOPE)
|
||||
|
||||
if (LWS_WITH_SSL AND NOT LWS_WITH_MBEDTLS)
|
||||
# we don't want to confuse what's in or out of the wrapper with
|
||||
# what's in an openssl also installed on the build host
|
||||
|
|
|
@ -27,6 +27,12 @@
|
|||
#include "private-lib-core.h"
|
||||
#include "private-lib-tls-openssl.h"
|
||||
|
||||
#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
|
||||
(OPENSSL_VERSION_NUMBER >= 0x30000000l) && \
|
||||
!defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
|
||||
#warning "You probably need LWS_SUPPRESS_DEPRECATED_API_WARNINGS"
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Care: many openssl apis return 1 for success. These are translated to the
|
||||
* lws convention of 0 for success.
|
||||
|
|
|
@ -155,7 +155,9 @@ lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
|
|||
const char *mem_cert, size_t mem_cert_len,
|
||||
const char *mem_privkey, size_t mem_privkey_len)
|
||||
{
|
||||
#if !defined(OPENSSL_NO_EC)
|
||||
#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
|
||||
((OPENSSL_VERSION_NUMBER < 0x30000000l) || \
|
||||
defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS))
|
||||
const char *ecdh_curve = "prime256v1";
|
||||
#if !defined(LWS_WITH_BORINGSSL) && defined(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS)
|
||||
STACK_OF(X509) *extra_certs = NULL;
|
||||
|
@ -419,7 +421,9 @@ check_key:
|
|||
}
|
||||
|
||||
|
||||
#if !defined(OPENSSL_NO_EC)
|
||||
#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
|
||||
((OPENSSL_VERSION_NUMBER < 0x30000000l) || \
|
||||
defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS))
|
||||
if (vhost->tls.ecdh_curve[0])
|
||||
ecdh_curve = vhost->tls.ecdh_curve;
|
||||
|
||||
|
@ -461,7 +465,8 @@ check_key:
|
|||
}
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
#endif /* !boringssl */
|
||||
|
||||
/* Get the public key from certificate */
|
||||
pkey = X509_get_pubkey(x);
|
||||
if (!pkey) {
|
||||
|
@ -486,13 +491,14 @@ check_key:
|
|||
SSL_CTX_set_tmp_ecdh(vhost->tls.ssl_ctx, EC_key);
|
||||
|
||||
EC_KEY_free(EC_key);
|
||||
#else
|
||||
lwsl_notice(" OpenSSL doesn't support ECDH\n");
|
||||
#endif
|
||||
|
||||
#if !defined(OPENSSL_NO_EC) && !defined(LWS_WITH_BORINGSSL)
|
||||
post_ecdh:
|
||||
#endif
|
||||
vhost->tls.skipped_certs = 0;
|
||||
#else
|
||||
lwsl_notice(" OpenSSL doesn't support ECDH\n");
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue