1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00

opensslv3: handle deprecation of EC apis

openssl v3-alpha11 has marked EC_KEY pieces as deprecated... we use it in
LWS_WITH_GENCRYPTO but the related RSA etc pieces were already deprecated
for that.  We use EC_KEY pieces in vhost init...

The apis are not removed but deprecated, we should have a way to keep
trucking, but as it is the deprecation warning is promoted to an error.

Let's add LWS_SUPPRESS_DEPRECATED_API_WARNINGS option off by default.  If
enabled at cmake, external deprecated api warnings are suppressed.  This
gives a general workaround for now for opensslv3.

In addition, even if you don't do that, let's notice we are on openssl v3
and don't build the EC curve selection stuff, I don't think anyone is
actually using it anyway.
This commit is contained in:
Andy Green 2021-02-14 06:05:16 +00:00
parent 599691d233
commit 8e5f8491db
7 changed files with 43 additions and 7 deletions

View file

@ -125,6 +125,10 @@
"cmake": "-DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/openssl/v3/usr/local/lib64/libssl.a;/usr/local/src/openssl/v3/usr/local/lib64/libcrypto.a\" -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/openssl/v3/usr/local/include/\" -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_GENCRYPTO=0",
"platforms": "none,linux-fedora-32/x86_64-amd/gcc"
},
"default-examples-openssl-v3-gencrypto": {
"cmake": "-DLWS_SUPPRESS_DEPRECATED_API_WARNINGS=1 -DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/openssl/v3/usr/local/lib64/libssl.a;/usr/local/src/openssl/v3/usr/local/lib64/libcrypto.a\" -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/openssl/v3/usr/local/include/\" -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_GENCRYPTO=1",
"platforms": "none,linux-fedora-32/x86_64-amd/gcc"
},
"default-examples-boringssl": {
"cmake": "cmake .. -DLWS_WITH_BORINGSSL=1 -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/local/src/boringssl/include\" -DLWS_OPENSSL_LIBRARIES=\"/usr/local/src/boringssl/build/ssl/libssl.so;/usr/local/src/boringssl/build/crypto/libcrypto.so\" -DLWS_WITH_MINIMAL_EXAMPLES=1",
"platforms": "none,linux-fedora-32/x86_64-amd/gcc"
@ -153,8 +157,9 @@
"cmake": "-DLWS_WITH_PLUGINS=1",
"platforms": "none,linux-fedora-32/x86_64-amd/gcc,linux-debian-sid/x86-amd/gcc,linux-debian-sid/x86_64-amd/gcc"
},
# WARN_DEPRECATED disabled for openssl v3 case on windows
"lws_system": {
"cmake": "-DLWS_WITH_ACME=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 -DCMAKE_BUILD_TYPE=RELEASE -DLWS_WITH_GENCRYPTO=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_NTPCLIENT=1",
"cmake": "-DLWS_SUPPRESS_DEPRECATED_API_WARNINGS=1 -DLWS_WITH_ACME=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 -DCMAKE_BUILD_TYPE=RELEASE -DLWS_WITH_GENCRYPTO=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_NTPCLIENT=1",
"platforms": "w10/x86_64-amd/msvc, w10/x86_64-amd/noptmsvc"
},
"secure-streams": {

View file

@ -198,6 +198,8 @@ option(LWS_WITH_STATIC "Build the static version of the library" ON)
option(LWS_WITH_SHARED "Build the shared version of the library" ON)
option(LWS_LINK_TESTAPPS_DYNAMIC "Link the test apps to the shared version of the library. Default is to link statically" OFF)
option(LWS_STATIC_PIC "Build the static version of the library with position-independent code" OFF)
option(LWS_SUPPRESS_DEPRECATED_API_WARNINGS "Turn off complaints about, eg, openssl deprecated api usage" OFF)
#
# Specific platforms
#
@ -717,6 +719,7 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR COMPILER_IS_CLANG)
check_c_compiler_flag("-Wignored-qualifiers" LWS_GCC_HAS_IGNORED_QUALIFIERS)
check_c_compiler_flag("-Wtype-limits" LWS_GCC_HAS_TYPE_LIMITS)
check_c_compiler_flag("-Wno-deprecated-declarations" LWS_GCC_HAS_NO_DEPRECATED_DECLARATIONS)
if (LWS_GCC_HAS_IGNORED_QUALIFIERS)
set(CMAKE_C_FLAGS "-Wignored-qualifiers ${CMAKE_C_FLAGS}" )
@ -744,6 +747,13 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR COMPILER_IS_CLANG)
if ("${DISABLE_WERROR}" STREQUAL "OFF")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror")
endif()
if (LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
set(CMAKE_C_FLAGS "-Wno-deprecated ${CMAKE_C_FLAGS}")
if (LWS_GCC_HAS_NO_DEPRECATED_DECLARATIONS)
set(CMAKE_C_FLAGS "-Wno-deprecated-declarations ${CMAKE_C_FLAGS}")
endif()
endif()
endif ()
if ((CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX) AND NOT LWS_WITHOUT_TESTAPPS)

View file

@ -37,6 +37,7 @@
#cmakedefine LWS_HAVE_BN_bn2binpad
#cmakedefine LWS_HAVE_CLOCK_GETTIME
#cmakedefine LWS_HAVE_EC_POINT_get_affine_coordinates
#cmakedefine LWS_HAVE_EC_KEY_new_by_curve_name
#cmakedefine LWS_HAVE_ECDSA_SIG_set0
#cmakedefine LWS_HAVE_EVP_MD_CTX_free
#cmakedefine LWS_HAVE_EVP_aes_128_wrap
@ -116,6 +117,7 @@
#cmakedefine LWS_SHA1_USE_OPENSSL_NAME
#cmakedefine LWS_SSL_CLIENT_USE_OS_CA_CERTS
#cmakedefine LWS_SSL_SERVER_WITH_ECDH_CERT
#cmakedefine LWS_SUPPRESS_DEPRECATED_API_WARNINGS
#cmakedefine LWS_TLS_LOG_PLAINTEXT_RX
#cmakedefine LWS_TLS_LOG_PLAINTEXT_TX
#cmakedefine LWS_WITH_ABSTRACT

View file

@ -41,6 +41,10 @@ extern "C" {
#include "lws_config.h"
#if defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
#define OPENSSL_USE_DEPRECATED
#endif
/* place for one-shot opaque forward references */
typedef struct lws_context * lws_ctx_t;

View file

@ -307,6 +307,9 @@ CHECK_FUNCTION_EXISTS(${VARIA}HMAC_CTX_new LWS_HAVE_HMAC_CTX_new PARENT_SCOPE)
CHECK_SYMBOL_EXISTS(${VARIA}SSL_CTX_set_ciphersuites LWS_HAVE_SSL_CTX_set_ciphersuites PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(${VARIA}EVP_PKEY_new_raw_private_key LWS_HAVE_EVP_PKEY_new_raw_private_key PARENT_SCOPE)
# deprecated in openssl v3
CHECK_FUNCTION_EXISTS(${VARIA}EC_KEY_new_by_curve_name LWS_HAVE_EC_KEY_new_by_curve_name PARENT_SCOPE)
if (LWS_WITH_SSL AND NOT LWS_WITH_MBEDTLS)
# we don't want to confuse what's in or out of the wrapper with
# what's in an openssl also installed on the build host

View file

@ -27,6 +27,12 @@
#include "private-lib-core.h"
#include "private-lib-tls-openssl.h"
#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
(OPENSSL_VERSION_NUMBER >= 0x30000000l) && \
!defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS)
#warning "You probably need LWS_SUPPRESS_DEPRECATED_API_WARNINGS"
#endif
/*
* Care: many openssl apis return 1 for success. These are translated to the
* lws convention of 0 for success.

View file

@ -155,7 +155,9 @@ lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
const char *mem_cert, size_t mem_cert_len,
const char *mem_privkey, size_t mem_privkey_len)
{
#if !defined(OPENSSL_NO_EC)
#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
((OPENSSL_VERSION_NUMBER < 0x30000000l) || \
defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS))
const char *ecdh_curve = "prime256v1";
#if !defined(LWS_WITH_BORINGSSL) && defined(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS)
STACK_OF(X509) *extra_certs = NULL;
@ -419,7 +421,9 @@ check_key:
}
#if !defined(OPENSSL_NO_EC)
#if !defined(OPENSSL_NO_EC) && defined(LWS_HAVE_EC_KEY_new_by_curve_name) && \
((OPENSSL_VERSION_NUMBER < 0x30000000l) || \
defined(LWS_SUPPRESS_DEPRECATED_API_WARNINGS))
if (vhost->tls.ecdh_curve[0])
ecdh_curve = vhost->tls.ecdh_curve;
@ -461,7 +465,8 @@ check_key:
}
#else
return 0;
#endif
#endif /* !boringssl */
/* Get the public key from certificate */
pkey = X509_get_pubkey(x);
if (!pkey) {
@ -486,13 +491,14 @@ check_key:
SSL_CTX_set_tmp_ecdh(vhost->tls.ssl_ctx, EC_key);
EC_KEY_free(EC_key);
#else
lwsl_notice(" OpenSSL doesn't support ECDH\n");
#endif
#if !defined(OPENSSL_NO_EC) && !defined(LWS_WITH_BORINGSSL)
post_ecdh:
#endif
vhost->tls.skipped_certs = 0;
#else
lwsl_notice(" OpenSSL doesn't support ECDH\n");
#endif
return 0;
}