tls: make explicit ENGINE deprecation in OpenSSL 3

src/modules/tls/tls_domain.c

@@ -30,15 +30,16 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
-#if OPENSSL_VERSION_NUMBER >= 0x030000000L
-#define OPENSSL_NO_ENGINE
+/* only OpenSSL <= 1.1.1 */
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
+#define KSR_SSL_ENGINE
 #endif
 
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 #include <openssl/engine.h>
 #include "tls_map.h"
 extern EVP_PKEY *tls_engine_private_key(const char *key_id);
-#endif
+#endif /* KSR_SSL_ENGINE */
 
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 #include <openssl/ui.h>
@@ -1227,7 +1228,7 @@ err:
 #endif
 }
 
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 /*
  * Implement a hash map from SSL_CTX to private key
  * as HSM keys need to be process local
@@ -1329,7 +1330,7 @@ static int load_engine_private_key(tls_domain_t *d)
 			d->pkey_file.s);
 	return 0;
 }
-#endif
+#endif /* KSR_SSL_ENGINE */
 /**
  * @brief Load a private key from a file
  * @param d TLS domain
@@ -1353,7 +1354,7 @@ static int load_private_key(tls_domain_t *d)
 		SSL_CTX_set_default_passwd_cb_userdata(d->ctx[i], d->pkey_file.s);
 
 		for(idx = 0, ret_pwd = 0; idx < 3; idx++) {
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 			// in PROC_INIT skip loading HSM keys due to
 			// fork() issues with PKCS#11 libraries
 			if(strncmp(d->pkey_file.s, "/engine:", 8) != 0) {
@@ -1365,7 +1366,7 @@ static int load_private_key(tls_domain_t *d)
 #else
 			ret_pwd = SSL_CTX_use_PrivateKey_file(
 					d->ctx[i], d->pkey_file.s, SSL_FILETYPE_PEM);
-#endif
+#endif /* KSR_SSL_ENGINE */
 			if(ret_pwd) {
 				break;
 			} else {
@@ -1382,12 +1383,12 @@ static int load_private_key(tls_domain_t *d)
 			TLS_ERR("load_private_key:");
 			return -1;
 		}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 		if(strncmp(d->pkey_file.s, "/engine:", 8) == 0) {
 			// skip private key validity check for HSM keys
 			continue;
 		}
-#endif
+#endif /* KSR_SSL_ENGINE */
 		if(!SSL_CTX_check_private_key(d->ctx[i])) {
 			ERR("%s: Key '%s' does not match the public key of the"
 				" certificate\n",
@@ -1403,7 +1404,7 @@ static int load_private_key(tls_domain_t *d)
 }
 
 
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 /**
  * @brief Initialize engine private keys
  *
@@ -1435,7 +1436,7 @@ int tls_fix_engine_keys(tls_domains_cfg_t *cfg, tls_domain_t *srv_defaults,
 
 	return 0;
 }
-#endif
+#endif /* KSR_SSL_ENGINE */
 /**
  * @brief Initialize attributes of all domains from default domains if necessary
  *

src/modules/tls/tls_mod.c

@@ -91,8 +91,9 @@ int ksr_rand_engine_param(modparam_t type, void *val);
 
 MODULE_VERSION
 
-#if OPENSSL_VERSION_NUMBER >= 0x030000000L
-#define OPENSSL_NO_ENGINE
+/* Engine is deprecated in OpenSSL 3 */
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
+#define KSR_SSL_ENGINE
 #endif
 
 extern str sr_tls_event_callback;
@@ -149,7 +150,7 @@ tls_domain_t srv_defaults = {
 };
 
 
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 
 typedef struct tls_engine
 {
@@ -166,7 +167,7 @@ static tls_engine_t tls_engine_settings = {
 		STR_STATIC_INIT("NONE"),
 		STR_STATIC_INIT("ALL"),
 };
-#endif /* OPENSSL_NO_ENGINE */
+#endif /* KSR_SSL_ENGINE */
 /*
  * Default settings for client domains when using external config file
  */
@@ -231,12 +232,12 @@ static param_export_t params[] = {
 		{"crl", PARAM_STR, &default_tls_cfg.crl},
 		{"cipher_list", PARAM_STR, &default_tls_cfg.cipher_list},
 		{"connection_timeout", PARAM_INT, &default_tls_cfg.con_lifetime},
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 		{"engine", PARAM_STR, &tls_engine_settings.engine},
 		{"engine_config", PARAM_STR, &tls_engine_settings.engine_config},
 		{"engine_algorithms", PARAM_STR,
 				&tls_engine_settings.engine_algorithms},
-#endif /* OPENSSL_NO_ENGINE */
+#endif /* KSR_SSL_ENGINE */
 		{"tls_log", PARAM_INT, &default_tls_cfg.log},
 		{"tls_debug", PARAM_INT, &default_tls_cfg.debug},
 		{"session_cache", PARAM_INT, &default_tls_cfg.session_cache},
@@ -432,10 +433,10 @@ error:
 }
 
 
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 static int tls_engine_init();
 int tls_fix_engine_keys(tls_domains_cfg_t *, tls_domain_t *, tls_domain_t *);
-#endif
+#endif /* KSR_SSL_ENGINE */
 
 /*
  * OpenSSL 1.1.1+: SSL_CTX is repeated in each worker
@@ -476,7 +477,7 @@ static int mod_child(int rank)
 		return run_thread4PP((_thread_proto4PP)mod_child_hook, &rank, NULL);
 	}
 
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 	/*
 	 * after the child is fork()ed we go through the TLS domains
 	 * and fix up private keys from engine
@@ -492,7 +493,7 @@ static int mod_child(int rank)
 			return -1;
 		LM_INFO("OpenSSL Engine loaded private keys in child: %d\n", rank);
 	}
-#endif
+#endif /* KSR_SSL_ENGINE */
 	return 0;
 }
 
@@ -702,7 +703,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
 }
 
 
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 /*
  * initialize OpenSSL engine in child process
  * PKCS#11 libraries are not guaranteed to be fork() safe
@@ -796,4 +797,4 @@ EVP_PKEY *tls_engine_private_key(const char *key_id)
 {
 	return ENGINE_load_private_key(ksr_tls_engine, key_id, NULL, NULL);
 }
-#endif
+#endif /* KSR_SSL_ENGINE */

src/modules/tls/tls_server.c

@@ -128,8 +128,9 @@ int tls_run_event_routes(struct tcp_connection *c);
 #endif /* __SUNPRO_c */
 #endif /* TLS_RD_DEBUG */
 
-#if OPENSSL_VERSION_NUMBER >= 0x030000000L
-#define OPENSSL_NO_ENGINE
+/* only OpenSSL <= 1.1.1 */
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER < 0x030000000L
+#define KSR_SSL_ENGINE
 #endif
 
 extern str sr_tls_xavp_cfg;
@@ -427,10 +428,10 @@ static void tls_dump_cert_info(char *s, X509 *cert)
 }
 
 
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 // lookup HSM keys in process-local memory
 EVP_PKEY *tls_lookup_private_key(SSL_CTX *);
-#endif
+#endif /* KSR_SSL_ENGINE */
 /** wrapper around SSL_accept, usin SSL return convention.
  * It will also log critical errors and certificate debugging info.
  * @param c - tcp connection with tls (extra_data must be a filled
@@ -461,12 +462,12 @@ int tls_accept(struct tcp_connection *c, int *error)
 		BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state);
 		goto err;
 	}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 	/* check if we have a HSM key */
 	EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl));
 	if(pkey)
 		SSL_use_PrivateKey(ssl, pkey);
-#endif
+#endif /* KSR_SSL_ENGINE */
 	tls_openssl_clear_errors();
 	ret = SSL_accept(ssl);
 	if(unlikely(ret == 1)) {
@@ -531,7 +532,7 @@ int tls_connect(struct tcp_connection *c, int *error)
 		BUG("Invalid connection state %d (bug in TLS code)\n", tls_c->state);
 		goto err;
 	}
-#ifndef OPENSSL_NO_ENGINE
+#ifdef KSR_SSL_ENGINE
 	// lookup HSM private key in process-local memory
 	EVP_PKEY *pkey = tls_lookup_private_key(SSL_get_SSL_CTX(ssl));
 	if(pkey) {