From 00818e7b25bbee713cf7209fc4d901b7ca2b6561 Mon Sep 17 00:00:00 2001
From: jpfox156 <jpfox156@yahoo.com.au>
Date: Tue, 25 Jul 2023 04:56:46 +1000
Subject: [PATCH] [Core] OpenSSL 3 support

---
 src/switch_apr.c       | 32 +++++++++++++++++++++++++++-----
 src/switch_core_cert.c | 42 ++++++++++++++++++++++++++++++++++++++----
 src/switch_rtp.c       | 12 ++++++++++++
 3 files changed, 77 insertions(+), 9 deletions(-)

diff --git a/src/switch_apr.c b/src/switch_apr.c
index 9bc5d8a759..bd6cfdec56 100644
--- a/src/switch_apr.c
+++ b/src/switch_apr.c
@@ -74,7 +74,16 @@
 #if (defined(HAVE_LIBMD5) || defined(HAVE_LIBMD) || defined(HAVE_MD5INIT))
 #include <md5.h>
 #elif defined(HAVE_LIBCRYPTO)
-#include <openssl/md5.h>
+	#ifndef OPENSSL_VERSION_NUMBER
+		#include <openssl/opensslv.h>
+	#endif
+	#if OPENSSL_VERSION_NUMBER < 0x30000000
+		#include <openssl/md5.h>
+	#else
+		#include <openssl/evp.h>
+	#endif
+#else
+	#include <apr_md5.h>
 #endif
 
 #ifndef WIN32
@@ -1174,11 +1183,24 @@ SWITCH_DECLARE(switch_status_t) switch_md5(unsigned char digest[SWITCH_MD5_DIGES
 
 	return SWITCH_STATUS_SUCCESS;
 #elif defined(HAVE_LIBCRYPTO)
-	MD5_CTX md5_context;
+	#if OPENSSL_VERSION_NUMBER < 0x30000000
+		MD5_CTX md5_context;
 
-	MD5_Init(&md5_context);
-	MD5_Update(&md5_context, input, inputLen);
-	MD5_Final(digest, &md5_context);
+		MD5_Init(&md5_context);
+		MD5_Update(&md5_context, input, inputLen);
+		MD5_Final(digest, &md5_context);
+	#else
+		EVP_MD_CTX *md5_context;
+
+		/* MD5_Init */
+		md5_context = EVP_MD_CTX_new();
+		EVP_DigestInit_ex(md5_context, EVP_md5(), NULL);
+		/* MD5_Update */
+		EVP_DigestUpdate(md5_context, input, inputLen);
+		/* MD5_Final */
+		EVP_DigestFinal_ex(md5_context, digest, NULL);
+		EVP_MD_CTX_free(md5_context);
+	#endif
 
 	return SWITCH_STATUS_SUCCESS;
 #else
diff --git a/src/switch_core_cert.c b/src/switch_core_cert.c
index c4fdd84210..64f497ea1a 100644
--- a/src/switch_core_cert.c
+++ b/src/switch_core_cert.c
@@ -287,7 +287,10 @@ SWITCH_DECLARE(int) switch_core_gen_certs(const char *prefix)
 
 	//bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
 
-	mkcert(&x509, &pkey, 4096, 0, 36500);
+	if (!mkcert(&x509, &pkey, 4096, 0, 36500)) {
+		switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_ERROR, "Certificate generation failed\n");
+		goto end;
+	}
 
 	//RSA_print_fp(stdout, pkey->pkey.rsa, 0);
 	//X509_print_fp(stdout, x509);
@@ -410,7 +413,9 @@ static int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days
 {
 	X509 *x;
 	EVP_PKEY *pk;
+#if OPENSSL_VERSION_NUMBER < 0x30000000
 	RSA *rsa;
+#endif
 	X509_NAME *name=NULL;
 
 	switch_assert(pkeyp);
@@ -432,7 +437,26 @@ static int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days
 		x = *x509p;
 	}
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+	{
+		EVP_PKEY_CTX *ctx;
+
+		ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
+		/* Setup the key context */
+		if ((!ctx) || (EVP_PKEY_keygen_init(ctx) <= 0) || (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) <= 0)) {
+			abort();
+			goto err;
+		}
+
+		/* Generate key */
+		if (EVP_PKEY_generate(ctx, &pk) <= 0) {
+			abort();
+			goto err;
+		}
+
+		EVP_PKEY_CTX_free(ctx);
+	}
+#elif OPENSSL_VERSION_NUMBER >= 0x10100000
 	rsa = RSA_new();
 	{
 		static const BN_ULONG ULONG_RSA_F4 = RSA_F4;
@@ -449,11 +473,13 @@ static int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days
 	rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x30000000
 	if (!EVP_PKEY_assign_RSA(pk, rsa)) {
 		abort();
 	}
 
 	rsa = NULL;
+#endif
 
 	X509_set_version(x, 2);
 	ASN1_INTEGER_set(X509_get_serialNumber(x), serial);
@@ -476,13 +502,21 @@ static int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days
 	 */
 	X509_set_issuer_name(x, name);
 
-	if (!X509_sign(x, pk, EVP_sha1()))
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+	if (!X509_sign(x, pk, EVP_sha256())) {
+#else
+	if (!X509_sign(x, pk, EVP_sha1())) {
+#endif
 		goto err;
+	}
 
 	*x509p = x;
 	*pkeyp = pk;
+
 	return(1);
- err:
+err:
+	ERR_print_errors_fp(stdout);
+
 	return(0);
 }
 
diff --git a/src/switch_rtp.c b/src/switch_rtp.c
index 94106aec84..17ba4867f3 100644
--- a/src/switch_rtp.c
+++ b/src/switch_rtp.c
@@ -3643,7 +3643,11 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d
 	const SSL_METHOD *ssl_method;
 	SSL_CTX *ssl_ctx;
 	BIO *bio;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+	EVP_PKEY *dh_pk;
+#else
 	DH *dh;
+#endif
 	switch_status_t status = SWITCH_STATUS_SUCCESS;
 #ifndef OPENSSL_NO_EC
 #if OPENSSL_VERSION_NUMBER < 0x10002000L
@@ -3723,13 +3727,21 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d
 	switch_assert(dtls->ssl_ctx);
 
 	bio = BIO_new_file(dtls->pem, "r");
+#if OPENSSL_VERSION_NUMBER < 0x30000000
 	dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
 	BIO_free(bio);
 	if (dh) {
 		SSL_CTX_set_tmp_dh(dtls->ssl_ctx, dh);
 		DH_free(dh);
 	}
+#else 
+	if((dh_pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)) != NULL) {
+		SSL_CTX_set0_tmp_dh_pkey(dtls->ssl_ctx, dh_pk);
+		EVP_PKEY_free(dh_pk);
+	}
 
+	BIO_free(bio);
+#endif
 	SSL_CTX_set_mode(dtls->ssl_ctx, SSL_MODE_AUTO_RETRY);
 
 	//SSL_CTX_set_verify(dtls->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);