opensslv3: handle deprecation of EC apis

openssl v3-alpha11 has marked EC_KEY pieces as deprecated... we use it in LWS_WITH_GENCRYPTO but the related RSA etc pieces were already deprecated for that. We use EC_KEY pieces in vhost init... The apis are not removed but deprecated, we should have a way to keep trucking, but as it is the deprecation warning is promoted to an error. Let's add LWS_SUPPRESS_DEPRECATED_API_WARNINGS option off by default. If enabled at cmake, external deprecated api warnings are suppressed. This gives a general workaround for now for opensslv3. In addition, even if you don't do that, let's notice we are on openssl v3 and don't build the EC curve selection stuff, I don't think anyone is actually using it anyway.
2025-03-09 00:00:04 +01:00 · 2021-02-14 06:05:16 +00:00 · 2021-02-14 06:05:16 +00:00 · 8e5f8491db
commit 8e5f8491db
parent 599691d233
7 changed files with 43 additions and 7 deletions
--- a/.sai.json
+++ b/.sai.json
@ -125,6 +125,10 @@
 			"cmake":	"-DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/openssl/v3/usr/local/lib64/libssl.a;/usr/local/src/openssl/v3/usr/local/lib64/libcrypto.a\" -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/openssl/v3/usr/local/include/\" -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_GENCRYPTO=0",
 			"platforms":	"none,linux-fedora-32/x86_64-amd/gcc"
 		},
+		"default-examples-openssl-v3-gencrypto": {
+			"cmake":	"-DLWS_SUPPRESS_DEPRECATED_API_WARNINGS=1 -DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/openssl/v3/usr/local/lib64/libssl.a;/usr/local/src/openssl/v3/usr/local/lib64/libcrypto.a\" -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/openssl/v3/usr/local/include/\" -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_GENCRYPTO=1",
+			"platforms":	"none,linux-fedora-32/x86_64-amd/gcc"
+		},
 		"default-examples-boringssl": {
 			"cmake":	"cmake .. -DLWS_WITH_BORINGSSL=1 -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/boringssl/include\" -DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/boringssl/build/ssl/libssl.so;/usr/local/src/boringssl/build/crypto/libcrypto.so\" -DLWS_WITH_MINIMAL_EXAMPLES=1",
 			"platforms":	"none,linux-fedora-32/x86_64-amd/gcc"
@ -153,8 +157,9 @@
 			"cmake":	"-DLWS_WITH_PLUGINS=1",
 			"platforms":	"none,linux-fedora-32/x86_64-amd/gcc,linux-debian-sid/x86-amd/gcc,linux-debian-sid/x86_64-amd/gcc"
 		},
+		# WARN_DEPRECATED disabled for openssl v3 case on windows
 		"lws_system": {
-			"cmake":	"-DLWS_WITH_ACME=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 -DCMAKE_BUILD_TYPE=RELEASE -DLWS_WITH_GENCRYPTO=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_NTPCLIENT=1",
+			"cmake":	"-DLWS_SUPPRESS_DEPRECATED_API_WARNINGS=1 -DLWS_WITH_ACME=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 -DCMAKE_BUILD_TYPE=RELEASE -DLWS_WITH_GENCRYPTO=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_NTPCLIENT=1",
 			"platforms":	"w10/x86_64-amd/msvc, w10/x86_64-amd/noptmsvc"
 		},
 		"secure-streams": {
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -198,6 +198,8 @@ option(LWS_WITH_STATIC "Build the static version of the library" ON)
 option(LWS_WITH_SHARED "Build the shared version of the library" ON)
 option(LWS_LINK_TESTAPPS_DYNAMIC "Link the test apps to the shared version of the library. Default is to link statically" OFF)
 option(LWS_STATIC_PIC "Build the static version of the library with position-independent code" OFF)
+option(LWS_SUPPRESS_DEPRECATED_API_WARNINGS "Turn off complaints about, eg, openssl deprecated api usage" OFF)
+
 #
 # Specific platforms
 #
@ -717,6 +719,7 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR COMPILER_IS_CLANG)

 	check_c_compiler_flag("-Wignored-qualifiers" LWS_GCC_HAS_IGNORED_QUALIFIERS)
 	check_c_compiler_flag("-Wtype-limits" LWS_GCC_HAS_TYPE_LIMITS)
+	check_c_compiler_flag("-Wno-deprecated-declarations" LWS_GCC_HAS_NO_DEPRECATED_DECLARATIONS)

 	if (LWS_GCC_HAS_IGNORED_QUALIFIERS)
 		set(CMAKE_C_FLAGS "-Wignored-qualifiers ${CMAKE_C_FLAGS}" )
@ -744,6 +747,13 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR COMPILER_IS_CLANG)
 	if ("${DISABLE_WERROR}" STREQUAL "OFF")
 		set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror")
 	endif()
+
+	if (LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
+		set(CMAKE_C_FLAGS "-Wno-deprecated ${CMAKE_C_FLAGS}")
+		if (LWS_GCC_HAS_NO_DEPRECATED_DECLARATIONS)
+			set(CMAKE_C_FLAGS "-Wno-deprecated-declarations ${CMAKE_C_FLAGS}")
+		endif()
+	endif()
 endif ()

 if ((CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX) AND NOT LWS_WITHOUT_TESTAPPS)
--- a/cmake/lws_config.h.in
+++ b/cmake/lws_config.h.in
@ -37,6 +37,7 @@
 #cmakedefine LWS_HAVE_BN_bn2binpad
 #cmakedefine LWS_HAVE_CLOCK_GETTIME
 #cmakedefine LWS_HAVE_EC_POINT_get_affine_coordinates
+#cmakedefine LWS_HAVE_EC_KEY_new_by_curve_name
 #cmakedefine LWS_HAVE_ECDSA_SIG_set0
 #cmakedefine LWS_HAVE_EVP_MD_CTX_free
 #cmakedefine LWS_HAVE_EVP_aes_128_wrap
@ -116,6 +117,7 @@
 #cmakedefine LWS_SHA1_USE_OPENSSL_NAME
 #cmakedefine LWS_SSL_CLIENT_USE_OS_CA_CERTS
 #cmakedefine LWS_SSL_SERVER_WITH_ECDH_CERT
+#cmakedefine LWS_SUPPRESS_DEPRECATED_API_WARNINGS
 #cmakedefine LWS_TLS_LOG_PLAINTEXT_RX
 #cmakedefine LWS_TLS_LOG_PLAINTEXT_TX
 #cmakedefine LWS_WITH_ABSTRACT
--- a/include/libwebsockets.h
+++ b/include/libwebsockets.h
@ -41,6 +41,10 @@ extern "C" {

 #include "lws_config.h"

+#if defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
+#define OPENSSL_USE_DEPRECATED
+#endif
+
 /* place for one-shot opaque forward references */

 typedef struct lws_context * lws_ctx_t;
--- a/lib/tls/CMakeLists.txt
+++ b/lib/tls/CMakeLists.txt
@ -307,6 +307,9 @@ CHECK_FUNCTION_EXISTS(${VARIA}HMAC_CTX_new LWS_HAVE_HMAC_CTX_new PARENT_SCOPE)
 CHECK_SYMBOL_EXISTS(${VARIA}SSL_CTX_set_ciphersuites LWS_HAVE_SSL_CTX_set_ciphersuites PARENT_SCOPE)
 CHECK_FUNCTION_EXISTS(${VARIA}EVP_PKEY_new_raw_private_key LWS_HAVE_EVP_PKEY_new_raw_private_key PARENT_SCOPE)

+# deprecated in openssl v3
+CHECK_FUNCTION_EXISTS(${VARIA}EC_KEY_new_by_curve_name LWS_HAVE_EC_KEY_new_by_curve_name PARENT_SCOPE)
+
 if (LWS_WITH_SSL AND NOT LWS_WITH_MBEDTLS)
 	# we don't want to confuse what's in or out of the wrapper with
 	# what's in an openssl also installed on the build host
--- a/lib/tls/openssl/lws-genec.c
+++ b/lib/tls/openssl/lws-genec.c
@ -27,6 +27,12 @@
 #include "private-lib-core.h"
 #include "private-lib-tls-openssl.h"

+#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
+    (OPENSSL_VERSION_NUMBER >= 0x30000000l) && \
+     !defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
+#warning "You probably need LWS_SUPPRESS_DEPRECATED_API_WARNINGS"
+#endif
+
 /*
 * Care: many openssl apis return 1 for success.  These are translated to the
 * lws convention of 0 for success.
--- a/lib/tls/openssl/openssl-server.c
+++ b/lib/tls/openssl/openssl-server.c
@ -155,7 +155,9 @@ lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
 			  const char *mem_cert, size_t mem_cert_len,
 			  const char *mem_privkey, size_t mem_privkey_len)
 {
-#if !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
+    ((OPENSSL_VERSION_NUMBER < 0x30000000l) || \
+     defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS))
 	const char *ecdh_curve = "prime256v1";
 #if !defined(LWS_WITH_BORINGSSL) && defined(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS)
 	STACK_OF(X509) *extra_certs = NULL;
@ -419,7 +421,9 @@ check_key:
 	}


-#if !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
+    ((OPENSSL_VERSION_NUMBER < 0x30000000l) || \
+     defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS))
 	if (vhost->tls.ecdh_curve[0])
 		ecdh_curve = vhost->tls.ecdh_curve;

@ -461,7 +465,8 @@ check_key:
 	}
 #else
 	return 0;
-#endif
+#endif /* !boringssl */
+
 	/* Get the public key from certificate */
 	pkey = X509_get_pubkey(x);
 	if (!pkey) {
@ -486,13 +491,14 @@ check_key:
 	SSL_CTX_set_tmp_ecdh(vhost->tls.ssl_ctx, EC_key);

 	EC_KEY_free(EC_key);
-#else
-	lwsl_notice(" OpenSSL doesn't support ECDH\n");
-#endif
+
 #if !defined(OPENSSL_NO_EC) && !defined(LWS_WITH_BORINGSSL)
 post_ecdh:
 #endif
 	vhost->tls.skipped_certs = 0;
+#else
+	lwsl_notice(" OpenSSL doesn't support ECDH\n");
+#endif

 	return 0;
 }