Openssl 3.0.0

Sun Oct 17 11:45:17 UTC 2021

Hi all,

> tls.c: In function 'eckey_from_name':
> tls.c:473:5: warning: 'EC_KEY_new_by_curve_name' is deprecated: Since 
> OpenSSL 3.0 [-Wdeprecated-declarations]
>    473 |     eckey = EC_KEY_new_by_curve_name(builtin_curves[i].nid);
>        |     ^~~~~

FYI, all the mechanisms to select curves have changed.
I've managed to find the right function to use:
   https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html

We just need now a straight-forward call like:
   SSL_CTX_set1_groups_list(CTX, "X25519");

intead of all the machinery to find out the ID of the curve name.
The new OpenSSL 3.0.0 is great!
I hope it will now remain stable because we have #if for 0.9.8, 0.9.8d, 
1.0.2, 1.1.0, 1.1.1 and 3.0.0 versions.

I've checked that if the provided curve does not exist, nnrpd negotiates 
the default one.  Otherwise, it takes it into account.

[tlseccurve: "X25519" in inn.conf]
Server Temp Key: X25519, 253 bits

[tlseccurve: "P-256" in inn.conf]
Server Temp Key: ECDH, P-256, 256 bits



=> We now fully support the new OpenSSL 3.0.0 API.

--- a/nnrpd/tls.c
+++ b/nnrpd/tls.c
@@ -440,10 +440,13 @@ set_cert_stuff(SSL_CTX * ctx, char *cert_file, 
char *key_file)
  }


-#ifdef HAVE_OPENSSL_ECC
+#if defined(HAVE_OPENSSL_ECC) && OPENSSL_VERSION_NUMBER < 0x01010100fL
  /*
  **  Provide an ECKEY from a curve name.
  **  Accepts a NULL pointer as the name.
+**  The EC_KEY_new_ey_curve_name() function has been deprecated in
+**  OpenSSL 3.0.0; another mechanism to select groups has been available
+**  since OpenSSL 1.1.1.
  **
  **  Returns the key, or NULL on error.
  */
@@ -512,9 +515,6 @@ tls_init_serverengine(int verifydepth, int askcert, 
int requirecert,
      struct stat buf;
      size_t  tls_protos = 0;
      size_t  i;
-#ifdef HAVE_OPENSSL_ECC
-    EC_KEY *eckey;
-#endif

      if (tls_serverengine)
        return (0);                              /* Already running. */
@@ -593,9 +593,18 @@ tls_init_serverengine(int verifydepth, int askcert, 
int requirecert,
      /* We set a curve here by name if provided
       * or we use OpenSSL (>= 1.0.2) auto-selection
       * or we default to NIST P-256. */
-    eckey = eckey_from_name(tls_ec_curve);
-    if (eckey != NULL) {
-        SSL_CTX_set_tmp_ecdh(CTX, eckey);
+    if (tls_ec_curve != NULL) {
+# if OPENSSL_VERSION_NUMBER < 0x01010100fL
+        /* A new mechanism to select groups has been introduced
+         * in OpenSSL 1.1.1. */
+        EC_KEY *eckey;
+        eckey = eckey_from_name(tls_ec_curve);
+        if (eckey != NULL) {
+            SSL_CTX_set_tmp_ecdh(CTX, eckey);
+        }
+# else
+        SSL_CTX_set1_groups_list(CTX, tls_ec_curve);
+# endif
      } else {
  # if OPENSSL_VERSION_NUMBER < 0x010100000L
  #  if OPENSSL_VERSION_NUMBER >= 0x01000200fL





-- 
Julien ÉLIE

« C'est une forêt vierge où la main de l'homme n'a jamais mis le pied. »
