From 145bb764f4132d01e96be5b19510bef63ab63312 Mon Sep 17 00:00:00 2001
From: Patrick Williams <patrick@stwcx.xyz>
Date: Tue, 7 Dec 2021 21:05:04 -0600
Subject: ssl_key_handler: support OpenSSL 3.0 for key verification

Loading and checking of keys is one area where OpenSSL 1.0 and 3.0 are
not compatible.  Many of the functions currently used in the
ssl_key_handler are deprecated in 3.0, but the APIs necessary for
conversion also do not exist in 1.0.  Until OpenSSL 3.0 is widely used
in Linux distributions we therefore need to support both APIs.

Add a #define on the OPENSSL_VERSION_NUMBER to identify 3.x (or greater)
support and switch between the two API sets.

Tested: Added to a Yocto test build for the subtree update that
includes OpenSSL 3.x and confirmed Romulus QEMU test is successful.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I22bc77753bb32d1b92932f9918d64856a4e52af8
---
 include/ssl_key_handler.hpp | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'include')

diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index 4578c2b0f0..067b0dc9be 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -109,6 +109,7 @@ inline bool verifyOpensslKeyCert(const std::string& filepath)
         EVP_PKEY* pkey = PEM_read_PrivateKey(file, nullptr, nullptr, nullptr);
         if (pkey != nullptr)
         {
+#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
             RSA* rsa = EVP_PKEY_get1_RSA(pkey);
             if (rsa != nullptr)
             {
@@ -142,6 +143,26 @@ inline bool verifyOpensslKeyCert(const std::string& filepath)
                     EC_KEY_free(ec);
                 }
             }
+#else
+            EVP_PKEY_CTX* pkey_ctx =
+                EVP_PKEY_CTX_new_from_pkey(nullptr, pkey, nullptr);
+
+            if (!pkey_ctx)
+            {
+                std::cerr << "Unable to allocate pkey_ctx " << ERR_get_error()
+                          << "\n";
+            }
+            else if (EVP_PKEY_check(pkey_ctx) == 1)
+            {
+                privateKeyValid = true;
+            }
+            else
+            {
+
+                std::cerr << "Key not valid error number " << ERR_get_error()
+                          << "\n";
+            }
+#endif
 
             if (privateKeyValid)
             {
@@ -164,6 +185,9 @@ inline bool verifyOpensslKeyCert(const std::string& filepath)
                 }
             }
 
+#if (OPENSSL_VERSION_NUMBER > 0x30000000L)
+            EVP_PKEY_CTX_free(pkey_ctx);
+#endif
             EVP_PKEY_free(pkey);
         }
         fclose(file);
-- 
cgit v1.2.3