git: 88ea962879be - main - rpc.tls[serv|clnt]d.c: Clean up code for OpenSSL3

From: Rick Macklem <rmacklem_at_FreeBSD.org>
Date: Thu, 01 Jun 2023 20:45:11 UTC
The branch main has been updated by rmacklem:

URL: https://cgit.FreeBSD.org/src/commit/?id=88ea962879be7f989b263ad6d6686d72d888253a

commit 88ea962879be7f989b263ad6d6686d72d888253a
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2023-06-01 20:43:00 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2023-06-01 20:43:00 +0000

    rpc.tls[serv|clnt]d.c: Clean up code for OpenSSL3
    
    There were several function calls that are deprecated for
    OpenSSL1.1.1.  These have been removed.
    There was also a function call deprecated for OpenSSL3 and
    that one has been #ifdef'd on OPENSSL_VERSION_NUMBER.
    
    Reviewed by:    emaste, ngie
    Differential Revision:  https://reviews.freebsd.org/D40275
---
 usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c | 10 ++++------
 usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 10 ++++------
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
index bdb6be6c0222..e6784576982a 100644
--- a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
+++ b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
@@ -299,7 +299,6 @@ main(int argc, char **argv)
 	rpctls_syscall(RPCTLS_SYSC_CLSHUTDOWN, "");
 
 	SSL_CTX_free(rpctls_ctx);
-	EVP_cleanup();
 	return (0);
 }
 
@@ -480,17 +479,12 @@ rpctls_setupcl_ssl(void)
 	size_t len, rlen;
 	int ret;
 
-	SSL_library_init();
-	SSL_load_error_strings();
-	OpenSSL_add_all_algorithms();
-
 	ctx = SSL_CTX_new(TLS_client_method());
 	if (ctx == NULL) {
 		rpctls_verbose_out("rpctls_setupcl_ssl: SSL_CTX_new "
 		    "failed\n");
 		return (NULL);
 	}
-	SSL_CTX_set_ecdh_auto(ctx, 1);
 
 	if (rpctls_ciphers != NULL) {
 		/*
@@ -686,7 +680,11 @@ rpctls_connect(SSL_CTX *ctx, int s, char *certname, u_int certlen, X509 **certp)
 		return (NULL);
 	}
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+	cert = SSL_get1_peer_certificate(ssl);
+#else
 	cert = SSL_get_peer_certificate(ssl);
+#endif
 	if (cert == NULL) {
 		rpctls_verbose_out("rpctls_connect: get peer"
 		    " certificate failed\n");
diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index 310b6fe6f449..275bc2b9389b 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -416,7 +416,6 @@ main(int argc, char **argv)
 	rpctls_svc_run();
 
 	SSL_CTX_free(rpctls_ctx);
-	EVP_cleanup();
 	return (0);
 }
 
@@ -652,16 +651,11 @@ rpctls_setup_ssl(const char *certdir)
 	size_t len, rlen;
 	int ret;
 
-	SSL_library_init();
-	SSL_load_error_strings();
-	OpenSSL_add_all_algorithms();
-
 	ctx = SSL_CTX_new(TLS_server_method());
 	if (ctx == NULL) {
 		rpctls_verbose_out("rpctls_setup_ssl: SSL_CTX_new failed\n");
 		return (NULL);
 	}
-	SSL_CTX_set_ecdh_auto(ctx, 1);
 
 	if (rpctls_ciphers != NULL) {
 		/*
@@ -811,7 +805,11 @@ rpctls_server(SSL_CTX *ctx, int s, uint32_t *flags, uint32_t *uidp,
 		    SSL_get_cipher(ssl));
 	}
 	if (rpctls_do_mutual) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+		cert = SSL_get1_peer_certificate(ssl);
+#else
 		cert = SSL_get_peer_certificate(ssl);
+#endif
 		if (cert != NULL) {
 			if (!rpctls_verbose) {
 				gethostret = rpctls_gethost(s, sad, hostnam,