diff --git a/src/modules/tls/tls_domain.c b/src/modules/tls/tls_domain.c index 4e35f91f8a5..48c3aa26189 100644 --- a/src/modules/tls/tls_domain.c +++ b/src/modules/tls/tls_domain.c @@ -30,15 +30,16 @@ #include #include -#if OPENSSL_VERSION_NUMBER >= 0x030000000L -#define OPENSSL_NO_ENGINE +/* only OpenSSL <= 1.1.1 */ +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L +#define KSR_SSL_ENGINE #endif -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE #include #include "tls_map.h" extern EVP_PKEY *tls_engine_private_key(const char *key_id); -#endif +#endif /* KSR_SSL_ENGINE */ #if OPENSSL_VERSION_NUMBER >= 0x00907000L #include @@ -1227,7 +1228,7 @@ static int passwd_cb(char *buf, int size, int rwflag, void *filename) #endif } -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE /* * Implement a hash map from SSL_CTX to private key * as HSM keys need to be process local @@ -1329,7 +1330,7 @@ static int load_engine_private_key(tls_domain_t *d) d->pkey_file.s); return 0; } -#endif +#endif /* KSR_SSL_ENGINE */ /** * @brief Load a private key from a file * @param d TLS domain @@ -1353,7 +1354,7 @@ static int load_private_key(tls_domain_t *d) SSL_CTX_set_default_passwd_cb_userdata(d->ctx[i], d->pkey_file.s); for(idx = 0, ret_pwd = 0; idx < 3; idx++) { -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE // in PROC_INIT skip loading HSM keys due to // fork() issues with PKCS#11 libraries if(strncmp(d->pkey_file.s, "/engine:", 8) != 0) { @@ -1365,7 +1366,7 @@ static int load_private_key(tls_domain_t *d) #else ret_pwd = SSL_CTX_use_PrivateKey_file( d->ctx[i], d->pkey_file.s, SSL_FILETYPE_PEM); -#endif +#endif /* KSR_SSL_ENGINE */ if(ret_pwd) { break; } else { @@ -1382,12 +1383,12 @@ static int load_private_key(tls_domain_t *d) TLS_ERR("load_private_key:"); return -1; } -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE if(strncmp(d->pkey_file.s, "/engine:", 8) == 0) { // skip private key validity check for HSM keys continue; } -#endif +#endif /* KSR_SSL_ENGINE */ if(!SSL_CTX_check_private_key(d->ctx[i])) { ERR("%s: Key '%s' does not match the public key of the" " certificate\n", @@ -1403,7 +1404,7 @@ static int load_private_key(tls_domain_t *d) } -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE /** * @brief Initialize engine private keys * @@ -1435,7 +1436,7 @@ int tls_fix_engine_keys(tls_domains_cfg_t *cfg, tls_domain_t *srv_defaults, return 0; } -#endif +#endif /* KSR_SSL_ENGINE */ /** * @brief Initialize attributes of all domains from default domains if necessary * diff --git a/src/modules/tls/tls_mod.c b/src/modules/tls/tls_mod.c index 322be20bd8e..20ac304af1e 100644 --- a/src/modules/tls/tls_mod.c +++ b/src/modules/tls/tls_mod.c @@ -91,8 +91,9 @@ int ksr_rand_engine_param(modparam_t type, void *val); MODULE_VERSION -#if OPENSSL_VERSION_NUMBER >= 0x030000000L -#define OPENSSL_NO_ENGINE +/* Engine is deprecated in OpenSSL 3 */ +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L +#define KSR_SSL_ENGINE #endif extern str sr_tls_event_callback; @@ -149,7 +150,7 @@ tls_domain_t srv_defaults = { }; -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE typedef struct tls_engine { @@ -166,7 +167,7 @@ static tls_engine_t tls_engine_settings = { STR_STATIC_INIT("NONE"), STR_STATIC_INIT("ALL"), }; -#endif /* OPENSSL_NO_ENGINE */ +#endif /* KSR_SSL_ENGINE */ /* * Default settings for client domains when using external config file */ @@ -231,12 +232,12 @@ static param_export_t params[] = { {"crl", PARAM_STR, &default_tls_cfg.crl}, {"cipher_list", PARAM_STR, &default_tls_cfg.cipher_list}, {"connection_timeout", PARAM_INT, &default_tls_cfg.con_lifetime}, -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE {"engine", PARAM_STR, &tls_engine_settings.engine}, {"engine_config", PARAM_STR, &tls_engine_settings.engine_config}, {"engine_algorithms", PARAM_STR, &tls_engine_settings.engine_algorithms}, -#endif /* OPENSSL_NO_ENGINE */ +#endif /* KSR_SSL_ENGINE */ {"tls_log", PARAM_INT, &default_tls_cfg.log}, {"tls_debug", PARAM_INT, &default_tls_cfg.debug}, {"session_cache", PARAM_INT, &default_tls_cfg.session_cache}, @@ -432,10 +433,10 @@ static int mod_init(void) } -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE static int tls_engine_init(); int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *); -#endif +#endif /* KSR_SSL_ENGINE */ /* * OpenSSL 1.1.1+: SSL_CTX is repeated in each worker @@ -476,7 +477,7 @@ static int mod_child(int rank) return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL); } -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE /* * after the child is fork()ed we go through the TLS domains * and fix up private keys from engine @@ -492,7 +493,7 @@ static int mod_child(int rank) return -1; LM_INFO("OpenSSL Engine loaded private keys in child: %d\n", rank); } -#endif +#endif /* KSR_SSL_ENGINE */ return 0; } @@ -702,7 +703,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2) } -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE /* * initialize OpenSSL engine in child process * PKCS#11 libraries are not guaranteed to be fork() safe @@ -796,4 +797,4 @@ EVP_PKEY *tls_engine_private_key(const char *key_id) { return ENGINE_load_private_key(ksr_tls_engine, key_id, NULL, NULL); } -#endif +#endif /* KSR_SSL_ENGINE */ diff --git a/src/modules/tls/tls_server.c b/src/modules/tls/tls_server.c index 420fd5a868e..947f107131b 100644 --- a/src/modules/tls/tls_server.c +++ b/src/modules/tls/tls_server.c @@ -128,8 +128,9 @@ int tls_run_event_routes(struct tcp_connection *c); #endif /* __SUNPRO_c */ #endif /* TLS_RD_DEBUG */ -#if OPENSSL_VERSION_NUMBER >= 0x030000000L -#define OPENSSL_NO_ENGINE +/* only OpenSSL <= 1.1.1 */ +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L +#define KSR_SSL_ENGINE #endif extern str sr_tls_xavp_cfg; @@ -427,10 +428,10 @@ static void tls_dump_cert_info(char *s, X509 *cert) } -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE // lookup HSM keys in process-local memory EVP_PKEY *tls_lookup_private_key(SSL_CTX *); -#endif +#endif /* KSR_SSL_ENGINE */ /** wrapper around SSL_accept, usin SSL return convention. * It will also log critical errors and certificate debugging info. * @param c - tcp connection with tls (extra_data must be a filled @@ -461,12 +462,12 @@ int tls_accept(struct tcp_connection *c, int *error) BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state); goto err; } -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE /* check if we have a HSM key */ EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl)); if(pkey) SSL_use_PrivateKey(ssl, pkey); -#endif +#endif /* KSR_SSL_ENGINE */ tls_openssl_clear_errors(); ret = SSL_accept(ssl); if(unlikely(ret == 1)) { @@ -531,7 +532,7 @@ int tls_connect(struct tcp_connection *c, int *error) BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state); goto err; } -#ifndef OPENSSL_NO_ENGINE +#ifdef KSR_SSL_ENGINE // lookup HSM private key in process-local memory EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl)); if(pkey) {