Adding upstream version 8.2406.0.upstream/8.2406.0upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 92 insertions, 5 deletions

diff --git a/runtime/net_ossl.c b/runtime/net_ossl.c
index 7008731..77d2141 100644
--- a/runtime/net_ossl.c
+++ b/runtime/net_ossl.c
@@ -59,7 +59,9 @@ void net_ossl_set_ssl_verify_callback(SSL *pSsl, int flags);
 void net_ossl_set_ctx_verify_callback(SSL_CTX *pCtx, int flags);
 void net_ossl_set_bio_callback(BIO *conn);
 int net_ossl_verify_callback(int status, X509_STORE_CTX *store);
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
 rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd);
+#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 rsRetVal net_ossl_chkpeercertvalidity(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
 X509* net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
 rsRetVal net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
@@ -188,7 +190,7 @@ int opensslh_THREAD_cleanup(void)
 void
 osslGlblInit(void)
 {
-	DBGPRINTF("openssl: entering osslGlblInit\n");
+	DBGPRINTF("osslGlblInit: ENTER\n");
 
 	if((opensslh_THREAD_setup() == 0) ||
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -217,6 +219,31 @@ osslGlblInit(void)
 	ERR_load_BIO_strings();
 	ERR_load_crypto_strings();
 #endif
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+
+	// Initialize OpenSSL engine library
+	ENGINE_load_builtin_engines();
+	/* Register all of them for every algorithm they collectively implement */
+	ENGINE_register_all_complete();
+
+	// Iterate through all available engines
+	ENGINE *osslEngine = ENGINE_get_first();
+	const char *engine_id = NULL;
+	const char *engine_name = NULL;
+	while (osslEngine) {
+		// Print engine ID and name if the engine is loaded
+		if (ENGINE_get_init_function(osslEngine)) { // Check if engine is initialized
+			engine_id = ENGINE_get_id(osslEngine);
+			engine_name = ENGINE_get_name(osslEngine);
+			DBGPRINTF("osslGlblInit: Loaded Engine: ID = %s, Name = %s\n", engine_id, engine_name);
+		}
+		osslEngine = ENGINE_get_next(osslEngine);
+	}
+	// Free the engine reference when done
+	ENGINE_free(osslEngine);
+#pragma GCC diagnostic pop
 }
 
 /* globally de-initialize OpenSSL */
@@ -472,6 +499,7 @@ void net_ossl_lastOpenSSLErrorMsg
 	}
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
 /* initialize tls config commands in openssl context
  */
 rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd)
@@ -557,7 +585,7 @@ rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd)
 finalize_it:
 	RETiRet;
 }
-
+#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 
 /* Convert a fingerprint to printable data. The  conversion is carried out
  * according IETF I-D syslog-transport-tls-12. The fingerprint string is
@@ -730,7 +758,7 @@ net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP)
 		if(pThis->bReportAuthErr == 1) {
 			errno = 0;
 			LogMsg(0, RS_RET_INVALID_FINGERPRINT, LOG_WARNING,
-				"nsd_ossl:TLS session terminated with remote syslog server '%s': "
+				"net_ossl:TLS session terminated with remote syslog server '%s': "
 				"Fingerprint check failed, not permitted to talk to %s",
 				fromHostIP, cstrGetSzStrNoNULL(pstrFingerprint));
 			pThis->bReportAuthErr = 0;
@@ -775,7 +803,7 @@ net_ossl_chkpeername(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP)
 			cstrFinalize(pStr);
 			errno = 0;
 			LogMsg(0, RS_RET_INVALID_FINGERPRINT, LOG_WARNING,
-				"nsd_ossl:TLS session terminated with remote syslog server: "
+				"net_ossl:TLS session terminated with remote syslog server: "
 				"peer name not authorized, not permitted to talk to %s",
 				cstrGetSzStrNoNULL(pStr));
 			pThis->bReportAuthErr = 0;
@@ -813,7 +841,7 @@ net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP)
 			errno = 0;
 			pThis->bReportAuthErr = 0;
 			LogMsg(0, RS_RET_TLS_NO_CERT, LOG_WARNING,
-				"nsd_ossl:TLS session terminated with remote syslog server '%s': "
+				"net_ossl:TLS session terminated with remote syslog server '%s': "
 				"Peer check failed, peer did not provide a certificate.", fromHostIP);
 		}
 	}
@@ -1115,6 +1143,58 @@ net_ossl_verify_cookie(SSL *ssl, const unsigned char *cookie, unsigned int cooki
 }
 
 static rsRetVal
+net_ossl_init_engine(__attribute__((unused)) net_ossl_t *pThis)
+{
+	DEFiRet;
+	const char *engine_id = NULL;
+	const char *engine_name = NULL;
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+	// Get the default RSA engine
+	ENGINE *default_engine = ENGINE_get_default_RSA();
+	if (default_engine) {
+		engine_id = ENGINE_get_id(default_engine);
+		engine_name = ENGINE_get_name(default_engine);
+		DBGPRINTF("net_ossl_init_engine: Default RSA Engine: ID = %s, Name = %s\n", engine_id, engine_name);
+
+		// Free the engine reference when done
+		ENGINE_free(default_engine);
+	} else {
+		DBGPRINTF("net_ossl_init_engine: No default RSA Engine set.\n");
+	}
+
+	/* Setting specific Engine */
+	if (runConf != NULL && glbl.GetDfltOpensslEngine(runConf) != NULL) {
+		default_engine = ENGINE_by_id((char *)glbl.GetDfltOpensslEngine(runConf));
+		if (default_engine && ENGINE_init(default_engine)) {
+			/* engine initialised */
+			ENGINE_set_default_DSA(default_engine);
+			ENGINE_set_default_ciphers(default_engine);
+
+			/* Switch to Engine */
+			DBGPRINTF("net_ossl_init_engine: Changed default Engine to %s\n",
+				glbl.GetDfltOpensslEngine(runConf));
+
+			/* Release the functional reference from ENGINE_init() */
+			ENGINE_finish(default_engine);
+		} else {
+			LogError(0, RS_RET_VALUE_NOT_SUPPORTED, "error: ENGINE_init failed to load Engine '%s'"
+					"ossl netstream driver", glbl.GetDfltOpensslEngine(runConf));
+			net_ossl_lastOpenSSLErrorMsg(NULL, 0, NULL, LOG_ERR, "net_ossl_init_engine", "ENGINE_init");
+		}
+		// Free the engine reference when done
+		ENGINE_free(default_engine);
+	} else {
+		DBGPRINTF("net_ossl_init_engine: use openssl default Engine");
+	}
+#pragma GCC diagnostic pop
+
+	RETiRet;
+}
+
+
+static rsRetVal
 net_ossl_ctx_init_cookie(net_ossl_t *pThis)
 {
 	DEFiRet;
@@ -1159,6 +1239,10 @@ net_ossl_set_bio_callback(BIO *conn)
 BEGINobjConstruct(net_ossl) /* be sure to specify the object type also in END macro! */
 	DBGPRINTF("net_ossl_construct: [%p]\n", pThis);
 	pThis->bReportAuthErr = 1;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	CHKiRet(net_ossl_init_engine(pThis));
+finalize_it:
+#endif
 ENDobjConstruct(net_ossl)
 
 /* destructor for the net_ossl object */
@@ -1195,13 +1279,16 @@ CODESTARTobjQueryInterface(net_ossl)
 	pIf->osslPeerfingerprint	= net_ossl_peerfingerprint;
 	pIf->osslGetpeercert		= net_ossl_getpeercert;
 	pIf->osslChkpeercertvalidity	= net_ossl_chkpeercertvalidity;
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
 	pIf->osslApplyTlscgfcmd		= net_ossl_apply_tlscgfcmd;
+#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 	pIf->osslSetBioCallback		= net_ossl_set_bio_callback;
 	pIf->osslSetCtxVerifyCallback	= net_ossl_set_ctx_verify_callback;
 	pIf->osslSetSslVerifyCallback	= net_ossl_set_ssl_verify_callback;
 	pIf->osslLastOpenSSLErrorMsg	= net_ossl_lastOpenSSLErrorMsg;
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	pIf->osslCtxInitCookie	= net_ossl_ctx_init_cookie;
+	pIf->osslInitEngine	= net_ossl_init_engine;
 #endif
 finalize_it:
 ENDobjQueryInterface(net_ossl)