Remove warnings when openssl 3 is used. (#13170)

* remove_warnings_openssl_v3: Add new macro to define latest OpenSSL version * remove_warnings_openssl_v3: Add headers necessary for new API * remove_warnings_openssl_v3: Add compatible variables and adjst code inside load_private_key * remove_warnings_openssl_v3: Adjust function aclk_get_mqtt_otp according to openssl version * remove_warnings_openssl_v3: Adjust function private_decrypt * remove_warnings_openssl_v3: Fix function private_decrypt * remove_warnings_openssl_v3: Update error message * remove_warnings_openssl_v3: Update missing error message
author: thiagoftsm <thiagoftsm@gmail.com> 2022-06-30 07:11:23 +0000
committer: GitHub <noreply@github.com> 2022-06-30 07:11:23 +0000
commit: 12340cf1ef5065c5ab539967e610a263cc602741 (patch)
tree: 7978d0977c64de2896f07c054d682c3c4587743a /aclk
parent: 8368cc0fca0fc4ef91f75998b7d4536a49850afe (diff)
3 files changed, 69 insertions, 3 deletions
diff --git a/aclk/aclk.c b/aclk/aclk.c
index 612f4a5710..efbcc5fec9 100644
--- a/aclk/aclk.c
+++ b/aclk/aclk.c
@@ -49,11 +49,25 @@ struct aclk_shared_state aclk_shared_state = {
     .mqtt_shutdown_msg_rcvd = 0
 };
 
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300
+OSSL_DECODER_CTX *aclk_dctx = NULL;
+EVP_PKEY *aclk_private_key = NULL;
+#else
 static RSA *aclk_private_key = NULL;
+#endif
 static int load_private_key()
 {
-    if (aclk_private_key != NULL)
+    if (aclk_private_key != NULL) {
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300
+        EVP_PKEY_free(aclk_private_key);
+        if (aclk_dctx)
+            OSSL_DECODER_CTX_free(aclk_dctx);
+
+        aclk_dctx = NULL;
+#else
         RSA_free(aclk_private_key);
+#endif
+    }
     aclk_private_key = NULL;
     char filename[FILENAME_MAX + 1];
     snprintfz(filename, FILENAME_MAX, "%s/cloud.d/private.pem", netdata_configured_varlib_dir);
@@ -72,7 +86,25 @@ static int load_private_key()
         goto biofailed;
     }
 
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300
+    aclk_dctx = OSSL_DECODER_CTX_new_for_pkey(&aclk_private_key, "PEM", NULL,
+                                              "RSA",
+                                              OSSL_KEYMGMT_SELECT_PRIVATE_KEY,
+                                              NULL, NULL);
+
+    if (!aclk_dctx) {
+        error("Loading private key (from claiming) failed - no OpenSSL Decoders found");
+        goto biofailed;
+    }
+
+    // this is necesseary to avoid RSA key with wrong size
+    if (!OSSL_DECODER_from_bio(aclk_dctx, key_bio)) {
+        error("Decoding private key (from claiming) failed - invalid format.");
+        goto biofailed;
+    }
+#else
     aclk_private_key = PEM_read_bio_RSAPrivateKey(key_bio, NULL, NULL, NULL);
+#endif
     BIO_free(key_bio);
     if (aclk_private_key!=NULL)
     {
diff --git a/aclk/aclk_otp.c b/aclk/aclk_otp.c
index 47fdf1b598..6ce217a3ac 100644
--- a/aclk/aclk_otp.c
+++ b/aclk/aclk_otp.c
@@ -446,11 +446,37 @@ cleanup_buffers:
     return rc;
 }
 
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300
+static int private_decrypt(EVP_PKEY *p_key, unsigned char * enc_data, int data_len, unsigned char **decrypted)
+#else
 static int private_decrypt(RSA *p_key, unsigned char * enc_data, int data_len, unsigned char **decrypted)
+#endif
 {
+    int result;
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300
+    size_t outlen = EVP_PKEY_size(p_key);
+    EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(p_key, NULL);
+    if (!ctx)
+        return 1;
+
+    if (EVP_PKEY_decrypt_init(ctx) <= 0)
+        return 1;
+
+    if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0)
+        return 1;
+
+    *decrypted = mallocz(outlen);
+
+    if (EVP_PKEY_decrypt(ctx, *decrypted, &outlen, enc_data, data_len) == 1)
+        result = (int) outlen;
+    else
+        result = -1;
+#else
     *decrypted = mallocz(RSA_size(p_key));
-    int result = RSA_private_decrypt(data_len, enc_data, *decrypted, p_key, RSA_PKCS1_OAEP_PADDING);
-    if (result == -1) {
+    result = RSA_private_decrypt(data_len, enc_data, *decrypted, p_key, RSA_PKCS1_OAEP_PADDING);
+#endif
+    if (result == -1)
+    {
         char err[512];
         ERR_error_string_n(ERR_get_error(), err, sizeof(err));
         error("Decryption of the challenge failed: %s", err);
@@ -458,7 +484,11 @@ static int private_decrypt(RSA *p_key, unsigned char * enc_data, int data_len, u
     return result;
 }
 
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300
+int aclk_get_mqtt_otp(EVP_PKEY *p_key, char **mqtt_id, char **mqtt_usr, char **mqtt_pass, url_t *target)
+#else
 int aclk_get_mqtt_otp(RSA *p_key, char **mqtt_id, char **mqtt_usr, char **mqtt_pass, url_t *target)
+#endif
 {
     unsigned char *challenge;
     int challenge_bytes;
diff --git a/aclk/aclk_otp.h b/aclk/aclk_otp.h
index 1ca9245c26..2d660e5a4d 100644
--- a/aclk/aclk_otp.h
+++ b/aclk/aclk_otp.h
@@ -8,7 +8,11 @@
 #include "https_client.h"
 #include "aclk_util.h"
 
+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_300
+int aclk_get_mqtt_otp(EVP_PKEY *p_key, char **mqtt_id, char **mqtt_usr, char **mqtt_pass, url_t *target);
+#else
 int aclk_get_mqtt_otp(RSA *p_key, char **mqtt_id, char **mqtt_usr, char **mqtt_pass, url_t *target);
+#endif
 int aclk_get_env(aclk_env_t *env, const char *aclk_hostname, int aclk_port);
 
 #endif /* ACLK_OTP_H */
author	thiagoftsm <thiagoftsm@gmail.com>	2022-06-30 07:11:23 +0000
committer	GitHub <noreply@github.com>	2022-06-30 07:11:23 +0000
commit	12340cf1ef5065c5ab539967e610a263cc602741 (patch)
tree	7978d0977c64de2896f07c054d682c3c4587743a /aclk
parent	8368cc0fca0fc4ef91f75998b7d4536a49850afe (diff)