openssl: support OpenSSL 3.0 and above (#1349)

## Summary The only ABI change between version 1.1.1 and 3.0 for our usage is `SSL_get_peer_certificate` being splitted into `SSL_get1_peer_certificate` (which is compatible with the prior symbol) and `SSL_get0_peer_certificate` . This PR modifies `SSL_get_peer_certificate` in the wrapper to use the new symbol if available. No changes in other programs are required. ## Details * `SSL_get_peer_certificate` will now select either `SSL_get1_peer_certificate` or `SSL_get_peer_certificate` depending on which symbols are available. * DLL names for OpenSSL 3.x has been added for macOS, Windows and Linux. * The symbols used for certificate verification are no longer unconditionally hidden on Windows. They were hidden previously as Nim ships old OpenSSL 1.0 which did not have these symbols. Fixes #1160
nim-works · Jun 18, 2024 · cdcf8f7 · cdcf8f7
1 parent a13f09b
commit cdcf8f7
Showing 1 changed file with 14 additions and 10 deletions.
diff --git a/lib/wrappers/openssl.nim b/lib/wrappers/openssl.nim
@@ -63,19 +63,19 @@ elif useWinVersion:
         DLLUtilName* = "libeay32.dll"
   elif defined(cpu64):
     const
-      DLLSSLName* = "(libssl-1_1-x64|ssleay64|libssl64).dll"
-      DLLUtilName* = "(libcrypto-1_1-x64|libeay64).dll"
+      DLLSSLName* = "(libssl-3-x64|libssl-1_1-x64|ssleay64|libssl64).dll"
+      DLLUtilName* = "(libcrypto-3-x64|libcrypto-1_1-x64|libeay64).dll"
   else:
     const
-      DLLSSLName* = "(libssl-1_1|ssleay32|libssl32).dll"
-      DLLUtilName* = "(libcrypto-1_1|libeay32).dll"
+      DLLSSLName* = "(libssl-3|libssl-1_1|ssleay32|libssl32).dll"
+      DLLUtilName* = "(libssl-3|libcrypto-1_1|libeay32).dll"
 
   from std/winlean import SocketHandle
 else:
   when defined(osx):
-    const versions = "(.1.1|.38|.39|.41|.43|.44|.45|.46|.47|.48|.10|.1.0.2|.1.0.1|.1.0.0|.0.9.9|.0.9.8|)"
+    const versions = "(.3|.1.1|.38|.39|.41|.43|.44|.45|.46|.47|.48|.10|.1.0.2|.1.0.1|.1.0.0|.0.9.9|.0.9.8|)"
   else:
-    const versions = "(.1.1|.1.0.2|.1.0.1|.1.0.0|.0.9.9|.0.9.8|.48|.47|.46|.45|.44|.43|.41|.39|.38|.10|)"
+    const versions = "(.3|.1.1|.1.0.2|.1.0.1|.1.0.0|.0.9.9|.0.9.8|.48|.47|.46|.45|.44|.43|.41|.39|.38|.10|)"
 
   when defined(macosx):
     const
@@ -796,10 +796,14 @@ when defined(nimHasStyleChecks):
 
 # Certificate validation
 # On old openSSL version some of these symbols are not available
-when not defined(nimDisableCertificateValidation) and not defined(windows):
-
-  proc SSL_get_peer_certificate*(ssl: SslCtx): PX509{.cdecl, dynlib: DLLSSLName,
-      importc.}
+when not defined(nimDisableCertificateValidation):
+
+  proc SSL_get_peer_certificate*(ssl: SslCtx): PX509 {.gcsafe, tags: [].} =
+    {.cast(tags: []), cast(gcsafe).}:
+      let thisProc {.global.} = cast[proc (ssl: SslCtx): PX509 {.cdecl.}](
+        sslSymThrows("SSL_get1_peer_certificate", "SSL_get_peer_certificate")
+      )
+      if not thisProc.isNil: result = thisProc(ssl)
 
   proc X509_get_subject_name*(a: PX509): PX509_NAME{.cdecl, dynlib: DLLSSLName, importc.}