Basic support for OpenSSL 3.0.0 (#3448)

* updated README.md

* Create close-inactive-issues.yml

* check return codes of EVP_CIPHER_CTX_new and EVP_CipherInit

Especially with OpenSSL 3, it is possible that EVP_CipherInit may fail even when
passed a non-null cipher[1]. Without the checking, it will finally get to a
segfault.

[1] https://github.com/openssl/openssl/issues/16864

* Automatically load default and legacy providers with OpenSSL 3

Without the legacy provider [1], some ciphers are not available. For example,
the 'des-ecb' one used by test sutie is missed and the test will fail.

[1] OSSL_PROVIDER-LEGACY(7ossl)

* Make p12 ca order the same as pem

OpenSSL < 3 returns p12 ca order in reversed order. This is fixed
in OpenSSL 3. We work around it with old OpenSSL.

See:
https://github.com/openssl/openssl/issues/16421
https://github.com/openssl/openssl/pull/12641
f5eb85eb0f

* Implement SSL abort handling on OpenSSL 3

On an unexpected EOF, versions before OpenSSL 3.0 returned SSL_ERROR_SYSCALL,
nothing was added to the error stack, and errno was 0. Since OpenSSL 3.0 the
returned error is SSL_ERROR_SSL with a meaningful error on the error stack.[1]

[1] SSL_GET_ERROR(3ossl)

Co-authored-by: Günter Obiltschnig <guenter.obiltschnig@appinf.com>
Co-authored-by: Robin Lee <cheeselee@fedoraproject.org>
Co-authored-by: Aleksandar Fabijanic <aleks-f@users.noreply.github.com>
This commit is contained in:
Robin Lee
2022-03-30 02:23:44 +08:00
committed by GitHub
parent 5a0b18246b
commit 3bab3548f4
5 changed files with 35 additions and 10 deletions

View File

@@ -0,0 +1,19 @@
name: Close inactive issues
on:
schedule:
- cron: "30 2 * * *"
jobs:
close-issues:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v3
with:
days-before-issue-stale: 365
days-before-issue-close: 60
stale-issue-label: "stale"
stale-issue-message: "This issue is stale because it has been open for 365 days with no activity."
close-issue-message: "This issue was closed because it has been inactive for 60 days since being marked as stale."
days-before-pr-stale: -1
days-before-pr-close: -1
repo-token: ${{ secrets.GITHUB_TOKEN }}

View File

@@ -22,6 +22,9 @@
#include "Poco/SingletonHolder.h" #include "Poco/SingletonHolder.h"
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/provider.h>
#endif
namespace Poco { namespace Poco {
@@ -30,6 +33,10 @@ namespace Crypto {
CipherFactory::CipherFactory() CipherFactory::CipherFactory()
{ {
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
OSSL_PROVIDER_load(NULL, "default");
OSSL_PROVIDER_load(NULL, "legacy");
#endif
} }

View File

@@ -175,10 +175,10 @@ void PKCS12Container::load(PKCS12* pPKCS12, const std::string& password)
X509* pX509 = sk_X509_value(pCA, i); X509* pX509 = sk_X509_value(pCA, i);
#else #else
// Cert order is reversed on OpenSSL < 3. // Cert order is reversed on OpenSSL < 3.
// https://github.com/openssl/openssl/issues/16421 // https://github.com/openssl/openssl/issues/16421
// https://github.com/openssl/openssl/pull/12641 // https://github.com/openssl/openssl/pull/12641
// https://github.com/jeroen/openssl/commit/f5eb85eb0fd432406a24abda6511c449eaee6162 // https://github.com/jeroen/openssl/commit/f5eb85eb0fd432406a24abda6511c449eaee6162
X509* pX509 = sk_X509_value(pCA, certCount - i - 1); X509* pX509 = sk_X509_value(pCA, (certCount - i - 1));
#endif #endif
if (pX509) if (pX509)
{ {

View File

@@ -483,11 +483,11 @@ int SecureSocketImpl::handleError(int rc)
// these should not occur // these should not occur
poco_bugcheck(); poco_bugcheck();
return rc; return rc;
// SSL_GET_ERROR(3ossl): // SSL_GET_ERROR(3ossl):
// On an unexpected EOF, versions before OpenSSL 3.0 returned // On an unexpected EOF, versions before OpenSSL 3.0 returned
// SSL_ERROR_SYSCALL, nothing was added to the error stack, and // SSL_ERROR_SYSCALL, nothing was added to the error stack, and
// errno was 0. Since OpenSSL 3.0 the returned error is // errno was 0. Since OpenSSL 3.0 the returned error is
// SSL_ERROR_SSL with a meaningful error on the error stack. // SSL_ERROR_SSL with a meaningful error on the error stack.
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
case SSL_ERROR_SSL: case SSL_ERROR_SSL:
#else #else

View File

@@ -1,6 +1,5 @@
![alt text][logo] ![alt text][logo]
[![poco-ci](https://github.com/pocoproject/poco/actions/workflows/ci.yml/badge.svg?branch=poco-1.11.2)](https://github.com/pocoproject/poco/actions/workflows/ci.yml) [![poco-ci](https://github.com/pocoproject/poco/actions/workflows/ci.yml/badge.svg?branch=poco-1.11.2)](https://github.com/pocoproject/poco/actions/workflows/ci.yml)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/370/badge)](https://bestpractices.coreinfrastructure.org/projects/370) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/370/badge)](https://bestpractices.coreinfrastructure.org/projects/370)