Basic support for OpenSSL 3.0.0 (#3448)

* updated README.md * Create close-inactive-issues.yml * check return codes of EVP_CIPHER_CTX_new and EVP_CipherInit Especially with OpenSSL 3, it is possible that EVP_CipherInit may fail even when passed a non-null cipher[1]. Without the checking, it will finally get to a segfault. [1] https://github.com/openssl/openssl/issues/16864 * Automatically load default and legacy providers with OpenSSL 3 Without the legacy provider [1], some ciphers are not available. For example, the 'des-ecb' one used by test sutie is missed and the test will fail. [1] OSSL_PROVIDER-LEGACY(7ossl) * Make p12 ca order the same as pem OpenSSL < 3 returns p12 ca order in reversed order. This is fixed in OpenSSL 3. We work around it with old OpenSSL. See: https://github.com/openssl/openssl/issues/16421 https://github.com/openssl/openssl/pull/12641 f5eb85eb0f * Implement SSL abort handling on OpenSSL 3 On an unexpected EOF, versions before OpenSSL 3.0 returned SSL_ERROR_SYSCALL, nothing was added to the error stack, and errno was 0. Since OpenSSL 3.0 the returned error is SSL_ERROR_SSL with a meaningful error on the error stack.[1] [1] SSL_GET_ERROR(3ossl) Co-authored-by: Günter Obiltschnig <guenter.obiltschnig@appinf.com> Co-authored-by: Robin Lee <cheeselee@fedoraproject.org> Co-authored-by: Aleksandar Fabijanic <aleks-f@users.noreply.github.com>
2025-01-31 14:39:53 +01:00 · 2022-03-30 02:23:44 +08:00 · 2022-03-30 02:23:44 +08:00 · 3bab3548f4
commit 3bab3548f4
parent 5a0b18246b
5 changed files with 35 additions and 10 deletions
--- a/.github/workflows/close-inactive-issues.yml
+++ b/.github/workflows/close-inactive-issues.yml
@ -0,0 +1,19 @@
+name: Close inactive issues
+on:
+  schedule:
+    - cron: "30 2 * * *"
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v3
+        with:
+          days-before-issue-stale: 365
+          days-before-issue-close: 60
+          stale-issue-label: "stale"
+          stale-issue-message: "This issue is stale because it has been open for 365 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 60 days since being marked as stale."
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/Crypto/src/CipherFactory.cpp
+++ b/Crypto/src/CipherFactory.cpp
@ -22,6 +22,9 @@
 #include "Poco/SingletonHolder.h"
 #include <openssl/evp.h>
 #include <openssl/err.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/provider.h>
+#endif


 namespace Poco {
@ -30,6 +33,10 @@ namespace Crypto {

 CipherFactory::CipherFactory()
 {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	OSSL_PROVIDER_load(NULL, "default");
+	OSSL_PROVIDER_load(NULL, "legacy");
+#endif
 }


--- a/Crypto/src/PKCS12Container.cpp
+++ b/Crypto/src/PKCS12Container.cpp
@ -175,10 +175,10 @@ void PKCS12Container::load(PKCS12* pPKCS12, const std::string& password)
 					X509* pX509 = sk_X509_value(pCA, i);
 #else
 					// Cert order is reversed on OpenSSL < 3.
- 					// https://github.com/openssl/openssl/issues/16421
- 					// https://github.com/openssl/openssl/pull/12641
- 					// https://github.com/jeroen/openssl/commit/f5eb85eb0fd432406a24abda6511c449eaee6162
-					X509* pX509 = sk_X509_value(pCA, certCount - i - 1);
+					// https://github.com/openssl/openssl/issues/16421
+					// https://github.com/openssl/openssl/pull/12641
+					// https://github.com/jeroen/openssl/commit/f5eb85eb0fd432406a24abda6511c449eaee6162
+					X509* pX509 = sk_X509_value(pCA, (certCount - i - 1));
 #endif
 					if (pX509)
 					{
--- a/NetSSL_OpenSSL/src/SecureSocketImpl.cpp
+++ b/NetSSL_OpenSSL/src/SecureSocketImpl.cpp
@ -483,11 +483,11 @@ int SecureSocketImpl::handleError(int rc)
 		// these should not occur
 		poco_bugcheck();
 		return rc;
-	// SSL_GET_ERROR(3ossl):
- 	// On an unexpected EOF, versions before OpenSSL 3.0 returned
- 	// SSL_ERROR_SYSCALL, nothing was added to the error stack, and
- 	// errno was 0.  Since OpenSSL 3.0 the returned error is
- 	// SSL_ERROR_SSL with a meaningful error on the error stack.
+// SSL_GET_ERROR(3ossl):
+// On an unexpected EOF, versions before OpenSSL 3.0 returned
+// SSL_ERROR_SYSCALL, nothing was added to the error stack, and
+// errno was 0.  Since OpenSSL 3.0 the returned error is
+// SSL_ERROR_SSL with a meaningful error on the error stack.
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	case SSL_ERROR_SSL:
 #else
--- a/README.md
+++ b/README.md
@ -1,6 +1,5 @@
 ![alt text][logo]

-
 [![poco-ci](https://github.com/pocoproject/poco/actions/workflows/ci.yml/badge.svg?branch=poco-1.11.2)](https://github.com/pocoproject/poco/actions/workflows/ci.yml)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/370/badge)](https://bestpractices.coreinfrastructure.org/projects/370)