Skip to content

Commit

Permalink
tls: make explicit ENGINE deprecation in OpenSSL 3
Browse files Browse the repository at this point in the history
  • Loading branch information
space88man committed Mar 1, 2024
1 parent e535cc5 commit 0c68a55
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 31 deletions.
25 changes: 13 additions & 12 deletions src/modules/tls/tls_domain.c
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,16 @@
#include <openssl/bn.h>
#include <openssl/dh.h>

#if OPENSSL_VERSION_NUMBER >= 0x030000000L
#define OPENSSL_NO_ENGINE
/* only OpenSSL <= 1.1.1 */
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
#define KSR_SSL_ENGINE
#endif

#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
#include <openssl/engine.h>
#include "tls_map.h"
extern EVP_PKEY *tls_engine_private_key(const char *key_id);
#endif
#endif /* KSR_SSL_ENGINE */

#if OPENSSL_VERSION_NUMBER >= 0x00907000L
#include <openssl/ui.h>
Expand Down Expand Up @@ -1227,7 +1228,7 @@ static int passwd_cb(char *buf, int size, int rwflag, void *filename)
#endif
}

#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
/*
* Implement a hash map from SSL_CTX to private key
* as HSM keys need to be process local
Expand Down Expand Up @@ -1329,7 +1330,7 @@ static int load_engine_private_key(tls_domain_t *d)
d->pkey_file.s);
return 0;
}
#endif
#endif /* KSR_SSL_ENGINE */
/**
* @brief Load a private key from a file
* @param d TLS domain
Expand All @@ -1353,7 +1354,7 @@ static int load_private_key(tls_domain_t *d)
SSL_CTX_set_default_passwd_cb_userdata(d->ctx[i], d->pkey_file.s);

for(idx = 0, ret_pwd = 0; idx < 3; idx++) {
#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
// in PROC_INIT skip loading HSM keys due to
// fork() issues with PKCS#11 libraries
if(strncmp(d->pkey_file.s, "/engine:", 8) != 0) {
Expand All @@ -1365,7 +1366,7 @@ static int load_private_key(tls_domain_t *d)
#else
ret_pwd = SSL_CTX_use_PrivateKey_file(
d->ctx[i], d->pkey_file.s, SSL_FILETYPE_PEM);
#endif
#endif /* KSR_SSL_ENGINE */
if(ret_pwd) {
break;
} else {
Expand All @@ -1382,12 +1383,12 @@ static int load_private_key(tls_domain_t *d)
TLS_ERR("load_private_key:");
return -1;
}
#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
if(strncmp(d->pkey_file.s, "/engine:", 8) == 0) {
// skip private key validity check for HSM keys
continue;
}
#endif
#endif /* KSR_SSL_ENGINE */
if(!SSL_CTX_check_private_key(d->ctx[i])) {
ERR("%s: Key '%s' does not match the public key of the"
" certificate\n",
Expand All @@ -1403,7 +1404,7 @@ static int load_private_key(tls_domain_t *d)
}


#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
/**
* @brief Initialize engine private keys
*
Expand Down Expand Up @@ -1435,7 +1436,7 @@ int tls_fix_engine_keys(tls_domains_cfg_t *cfg, tls_domain_t *srv_defaults,

return 0;
}
#endif
#endif /* KSR_SSL_ENGINE */
/**
* @brief Initialize attributes of all domains from default domains if necessary
*
Expand Down
25 changes: 13 additions & 12 deletions src/modules/tls/tls_mod.c
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,9 @@ int ksr_rand_engine_param(modparam_t type, void *val);

MODULE_VERSION

#if OPENSSL_VERSION_NUMBER >= 0x030000000L
#define OPENSSL_NO_ENGINE
/* Engine is deprecated in OpenSSL 3 */
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
#define KSR_SSL_ENGINE
#endif

extern str sr_tls_event_callback;
Expand Down Expand Up @@ -149,7 +150,7 @@ tls_domain_t srv_defaults = {
};


#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE

typedef struct tls_engine
{
Expand All @@ -166,7 +167,7 @@ static tls_engine_t tls_engine_settings = {
STR_STATIC_INIT("NONE"),
STR_STATIC_INIT("ALL"),
};
#endif /* OPENSSL_NO_ENGINE */
#endif /* KSR_SSL_ENGINE */
/*
* Default settings for client domains when using external config file
*/
Expand Down Expand Up @@ -231,12 +232,12 @@ static param_export_t params[] = {
{"crl", PARAM_STR, &default_tls_cfg.crl},
{"cipher_list", PARAM_STR, &default_tls_cfg.cipher_list},
{"connection_timeout", PARAM_INT, &default_tls_cfg.con_lifetime},
#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
{"engine", PARAM_STR, &tls_engine_settings.engine},
{"engine_config", PARAM_STR, &tls_engine_settings.engine_config},
{"engine_algorithms", PARAM_STR,
&tls_engine_settings.engine_algorithms},
#endif /* OPENSSL_NO_ENGINE */
#endif /* KSR_SSL_ENGINE */
{"tls_log", PARAM_INT, &default_tls_cfg.log},
{"tls_debug", PARAM_INT, &default_tls_cfg.debug},
{"session_cache", PARAM_INT, &default_tls_cfg.session_cache},
Expand Down Expand Up @@ -432,10 +433,10 @@ static int mod_init(void)
}


#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
static int tls_engine_init();
int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *);
#endif
#endif /* KSR_SSL_ENGINE */

/*
* OpenSSL 1.1.1+: SSL_CTX is repeated in each worker
Expand Down Expand Up @@ -476,7 +477,7 @@ static int mod_child(int rank)
return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
}

#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
/*
* after the child is fork()ed we go through the TLS domains
* and fix up private keys from engine
Expand All @@ -492,7 +493,7 @@ static int mod_child(int rank)
return -1;
LM_INFO("OpenSSL Engine loaded private keys in child: %d\n", rank);
}
#endif
#endif /* KSR_SSL_ENGINE */
return 0;
}

Expand Down Expand Up @@ -702,7 +703,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
}


#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
/*
* initialize OpenSSL engine in child process
* PKCS#11 libraries are not guaranteed to be fork() safe
Expand Down Expand Up @@ -796,4 +797,4 @@ EVP_PKEY *tls_engine_private_key(const char *key_id)
{
return ENGINE_load_private_key(ksr_tls_engine, key_id, NULL, NULL);
}
#endif
#endif /* KSR_SSL_ENGINE */
15 changes: 8 additions & 7 deletions src/modules/tls/tls_server.c
Original file line number Diff line number Diff line change
Expand Up @@ -128,8 +128,9 @@ int tls_run_event_routes(struct tcp_connection *c);
#endif /* __SUNPRO_c */
#endif /* TLS_RD_DEBUG */

#if OPENSSL_VERSION_NUMBER >= 0x030000000L
#define OPENSSL_NO_ENGINE
/* only OpenSSL <= 1.1.1 */
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
#define KSR_SSL_ENGINE
#endif

extern str sr_tls_xavp_cfg;
Expand Down Expand Up @@ -427,10 +428,10 @@ static void tls_dump_cert_info(char *s, X509 *cert)
}


#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
// lookup HSM keys in process-local memory
EVP_PKEY *tls_lookup_private_key(SSL_CTX *);
#endif
#endif /* KSR_SSL_ENGINE */
/** wrapper around SSL_accept, usin SSL return convention.
* It will also log critical errors and certificate debugging info.
* @param c - tcp connection with tls (extra_data must be a filled
Expand Down Expand Up @@ -461,12 +462,12 @@ int tls_accept(struct tcp_connection *c, int *error)
BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state);
goto err;
}
#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
/* check if we have a HSM key */
EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl));
if(pkey)
SSL_use_PrivateKey(ssl, pkey);
#endif
#endif /* KSR_SSL_ENGINE */
tls_openssl_clear_errors();
ret = SSL_accept(ssl);
if(unlikely(ret == 1)) {
Expand Down Expand Up @@ -531,7 +532,7 @@ int tls_connect(struct tcp_connection *c, int *error)
BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state);
goto err;
}
#ifndef OPENSSL_NO_ENGINE
#ifdef KSR_SSL_ENGINE
// lookup HSM private key in process-local memory
EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl));
if(pkey) {
Expand Down

0 comments on commit 0c68a55

Please sign in to comment.