[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 81/264: openssl: adapt to functions marked as deprecated since v
From: |
gnunet |
Subject: |
[gnurl] 81/264: openssl: adapt to functions marked as deprecated since version 3 |
Date: |
Thu, 30 Apr 2020 16:06:24 +0200 |
This is an automated email from the git hooks/post-receive script.
nikita pushed a commit to branch master
in repository gnurl.
commit 02174e41f5c6199fb6f00b1900e1ea89821db321
Author: Daniel Stenberg <address@hidden>
AuthorDate: Mon Mar 23 12:28:20 2020 +0100
openssl: adapt to functions marked as deprecated since version 3
OpenSSL 3 deprecates SSL_CTX_load_verify_locations and the MD4, DES
functions we use.
Fix the MD4 and SSL_CTX_load_verify_locations warnings.
In configure, detect OpenSSL v3 and if so, inhibit the deprecation
warnings. OpenSSL v3 deprecates the DES functions we use for NTLM and
until we rewrite the code to use non-deprecated functions we better
ignore these warnings as they don't help us.
Closes #5139
---
configure.ac | 25 +++++++++++++++++++++++++
lib/md4.c | 4 ++++
lib/vtls/openssl.c | 29 +++++++++++++++++++++++++++++
3 files changed, 58 insertions(+)
diff --git a/configure.ac b/configure.ac
index 973394bce..31fc8ffb7 100755
--- a/configure.ac
+++ b/configure.ac
@@ -1873,6 +1873,31 @@ if test -z "$ssl_backends" -o "x$OPT_SSL" != xno &&
],[
AC_MSG_RESULT([no])
])
+
+ AC_MSG_CHECKING([for OpenSSL >= v3])
+ AC_COMPILE_IFELSE([
+ AC_LANG_PROGRAM([[
+#include <openssl/opensslv.h>
+ ]],[[
+ #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ return 0;
+ #else
+ #error older than 3
+ #endif
+ ]])
+ ],[
+ AC_MSG_RESULT([yes])
+ AC_DEFINE_UNQUOTED(HAVE_OPENSSL3, 1,
+ [Define to 1 if using OpenSSL 3 or later.])
+ dnl OpenSSLv3 marks the DES functions deprecated but we have no
+ dnl replacements (yet) so tell the compiler to not warn for them
+ dnl
+ dnl Ask OpenSSL to suppress the warnings.
+ CPPFLAGS="$CPPFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+ ssl_msg="OpenSSL v3+"
+ ],[
+ AC_MSG_RESULT([no])
+ ])
fi
if test "$OPENSSL_ENABLED" = "1"; then
diff --git a/lib/md4.c b/lib/md4.c
index 4dab6af7a..10e6fc537 100644
--- a/lib/md4.c
+++ b/lib/md4.c
@@ -29,6 +29,10 @@
#ifdef USE_OPENSSL
#include <openssl/opensslconf.h>
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+/* OpenSSL 3.0.0 marks the MD4 functions as deprecated */
+#define OPENSSL_NO_MD4
+#endif
#endif /* USE_OPENSSL */
#ifdef USE_MBEDTLS
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index ece655133..14bfe3562 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2719,6 +2719,33 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
}
#endif
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */
+ if(ssl_cafile) {
+ if(!SSL_CTX_load_verify_file(backend->ctx, ssl_cafile)) {
+ if(verifypeer) {
+ /* Fail if we insist on successfully verifying the server. */
+ failf(data, "error setting certificate file: %s", ssl_cafile);
+ return CURLE_SSL_CACERT_BADFILE;
+ }
+ /* Continue with a warning if no certificate verification is required. */
+ infof(data, "error setting certificate file, continuing anyway\n");
+ }
+ infof(data, " CAfile: %s\n", ssl_cafile);
+ }
+ if(ssl_capath) {
+ if(!SSL_CTX_load_verify_dir(backend->ctx, ssl_capath)) {
+ if(verifypeer) {
+ /* Fail if we insist on successfully verifying the server. */
+ failf(data, "error setting certificate path: %s", ssl_capath);
+ return CURLE_SSL_CACERT_BADFILE;
+ }
+ /* Continue with a warning if no certificate verification is required. */
+ infof(data, "error setting certificate path, continuing anyway\n");
+ }
+ infof(data, " CApath: %s\n", ssl_capath);
+ }
+#else
if(ssl_cafile || ssl_capath) {
/* tell SSL where to find CA certificates that are used to verify
the servers certificate. */
@@ -2746,6 +2773,8 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
ssl_cafile ? ssl_cafile : "none",
ssl_capath ? ssl_capath : "none");
}
+#endif
+
#ifdef CURL_CA_FALLBACK
else if(verifypeer) {
/* verifying the peer without any CA certificates won't
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 105/264: misc: copyright year updates, (continued)
- [gnurl] 105/264: misc: copyright year updates, gnunet, 2020/04/30
- [gnurl] 108/264: CI: add build with ngtcp2 + gnutls on Travis CI, gnunet, 2020/04/30
- [gnurl] 77/264: CI: bring GitHub Actions fuzzing job in line with macOS jobs, gnunet, 2020/04/30
- [gnurl] 80/264: dist: add mail-rcpt-allowfails.d to the tarball, gnunet, 2020/04/30
- [gnurl] 83/264: sockfilt: add logmsg output to select_ws_wait_thread on Windows, gnunet, 2020/04/30
- [gnurl] 107/264: vquic: add support for GnuTLS backend of ngtcp2, gnunet, 2020/04/30
- [gnurl] 112/264: ftpserver.pl: log before and after data connection is closed, gnunet, 2020/04/30
- [gnurl] 113/264: runtests.pl: log host OS as detected by Perl environment, gnunet, 2020/04/30
- [gnurl] 136/264: warnless: remove code block for icc that didn't work, gnunet, 2020/04/30
- [gnurl] 109/264: vquic/ngtcp2.h: update copyright year range, gnunet, 2020/04/30
- [gnurl] 81/264: openssl: adapt to functions marked as deprecated since version 3,
gnunet <=
- [gnurl] 110/264: RELEASE-PROCEDURE.md: run the copyright.pl script!, gnunet, 2020/04/30
- [gnurl] 111/264: RELEASE-NOTES: synced, gnunet, 2020/04/30
- [gnurl] 114/264: CI: increase Azure Pipelines timeouts due to performance issues, gnunet, 2020/04/30
- [gnurl] 141/264: select: remove typecast from SOCKET_WRITABLE/READABLE macros, gnunet, 2020/04/30
- [gnurl] 122/264: CURLINFO_CONDITION_UNMET: return true for 304 http status code, gnunet, 2020/04/30
- [gnurl] 236/264: gnutls: bump lowest supported version to 3.1.10, gnunet, 2020/04/30
- [gnurl] 137/264: configure: remove use of -vec-report0 from CFLAGS with icc, gnunet, 2020/04/30
- [gnurl] 117/264: sockfilt: fix handling of ready closed sockets on Windows, gnunet, 2020/04/30
- [gnurl] 124/264: KNOWN_BUGS: fixed "USE_UNIX_SOCKETS on Windows", gnunet, 2020/04/30
- [gnurl] 154/264: CI/macos: convert CRLF to LF and align indentation, gnunet, 2020/04/30