From e8c1479a0189a069240fc1cf7dc83f4f2c4550a6 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 24 May 2021 10:52:40 +0200
Subject: [PATCH] Build with OpenSSL 3.0

Resolves: rhbz#1953480
---
 opensc-0.21.0-openssl3.patch | 135 +++++++++++++++++++++++++++++++++++
 opensc.spec                  |   5 +-
 2 files changed, 139 insertions(+), 1 deletion(-)
 create mode 100644 opensc-0.21.0-openssl3.patch

diff --git a/opensc-0.21.0-openssl3.patch b/opensc-0.21.0-openssl3.patch
new file mode 100644
index 0000000..19b2762
--- /dev/null
+++ b/opensc-0.21.0-openssl3.patch
@@ -0,0 +1,135 @@
+diff --git a/src/libopensc/cwa14890.c b/src/libopensc/cwa14890.c
+index da471abf..d854799e 100644
+--- a/src/libopensc/cwa14890.c
++++ b/src/libopensc/cwa14890.c
+@@ -519,8 +519,8 @@ static int cwa_internal_auth(sc_card_t * card, u8 * sig, size_t sig_len, u8 * da
+  * @return SC_SUCCESS if ok; else errorcode
+  */
+ static int cwa_prepare_external_auth(sc_card_t * card,
+-				     RSA * icc_pubkey,
+-				     RSA * ifd_privkey,
++				     COMPAT_RSA * icc_pubkey,
++				     COMPAT_RSA * ifd_privkey,
+ 				     u8 * sig,
+ 				     size_t sig_len)
+ {
+@@ -594,7 +594,7 @@ static int cwa_prepare_external_auth(sc_card_t * card,
+ 	buf3[127] = 0xBC;	/* iso padding */
+ 
+ 	/* encrypt with ifd private key */
+-	len2 = RSA_private_decrypt(128, buf3, buf2, ifd_privkey, RSA_NO_PADDING);
++	len2 = RSA_private_decrypt(128, buf3, buf2, (RSA *)ifd_privkey, RSA_NO_PADDING);
+ 	if (len2 < 0) {
+ 		msg = "Prepare external auth: ifd_privk encrypt failed";
+ 		res = SC_ERROR_SM_ENCRYPT_FAILED;
+@@ -630,7 +630,7 @@ static int cwa_prepare_external_auth(sc_card_t * card,
+ 	}
+ 
+ 	/* re-encrypt result with icc public key */
+-	len1 = RSA_public_encrypt(len3, buf3, buf1, icc_pubkey, RSA_NO_PADDING);
++	len1 = RSA_public_encrypt(len3, buf3, buf1, (RSA *)icc_pubkey, RSA_NO_PADDING);
+ 	if (len1 <= 0 || (size_t) len1 != sig_len) {
+ 		msg = "Prepare external auth: icc_pubk encrypt failed";
+ 		res = SC_ERROR_SM_ENCRYPT_FAILED;
+@@ -842,8 +842,8 @@ static int cwa_compare_signature(u8 * data, size_t dlen, u8 * ifd_data)
+  * @return SC_SUCCESS if ok; else error code
+  */
+ static int cwa_verify_internal_auth(sc_card_t * card,
+-				    RSA * icc_pubkey,
+-				    RSA * ifd_privkey,
++				    COMPAT_RSA * icc_pubkey,
++				    COMPAT_RSA * ifd_privkey,
+ 				    u8 * ifdbuf,
+ 				    size_t ifdlen,
+ 				    u8 * sig,
+@@ -901,7 +901,7 @@ static int cwa_verify_internal_auth(sc_card_t * card,
+ 	 */
+ 
+ 	/* decrypt data with our ifd priv key */
+-	len1 = RSA_private_decrypt(sig_len, sig, buf1, ifd_privkey, RSA_NO_PADDING);
++	len1 = RSA_private_decrypt(sig_len, sig, buf1, (RSA *)ifd_privkey, RSA_NO_PADDING);
+ 	if (len1 <= 0) {
+ 		msg = "Verify Signature: decrypt with ifd privk failed";
+ 		res = SC_ERROR_SM_ENCRYPT_FAILED;
+@@ -911,7 +911,7 @@ static int cwa_verify_internal_auth(sc_card_t * card,
+ 	/* OK: now we have SIGMIN in buf1 */
+ 	/* check if SIGMIN data matches SIG or N.ICC-SIG */
+ 	/* evaluate DS[SK.ICC.AUTH](SIG) trying to decrypt with icc pubk */
+-	len3 = RSA_public_encrypt(len1, buf1, buf3, icc_pubkey, RSA_NO_PADDING);
++	len3 = RSA_public_encrypt(len1, buf1, buf3, (RSA *) icc_pubkey, RSA_NO_PADDING);
+ 	if (len3 <= 0)
+ 		goto verify_nicc_sig;	/* evaluate N.ICC-SIG and retry */
+ 	res = cwa_compare_signature(buf3, len3, ifdbuf);
+@@ -945,7 +945,7 @@ static int cwa_verify_internal_auth(sc_card_t * card,
+ 	}
+ 	/* ok: check again with new data */
+ 	/* evaluate DS[SK.ICC.AUTH](I.ICC-SIG) trying to decrypt with icc pubk */
+-	len3 = RSA_public_encrypt(len2, buf2, buf3, icc_pubkey, RSA_NO_PADDING);
++	len3 = RSA_public_encrypt(len2, buf2, buf3, (RSA *)icc_pubkey, RSA_NO_PADDING);
+ 	if (len3 <= 0) {
+ 		msg = "Verify Signature: cannot get valid SIG data";
+ 		res = SC_ERROR_INVALID_DATA;
+diff --git a/src/libopensc/p15card-helper.c b/src/libopensc/p15card-helper.c
+index e641858d..1cee573f 100644
+--- a/src/libopensc/p15card-helper.c
++++ b/src/libopensc/p15card-helper.c
+@@ -143,7 +143,7 @@ CERT_HANDLE_FUNCTION(default_cert_handle) {
+ 	int r;
+ 	X509 *cert_data = NULL;
+ 	EVP_PKEY *pkey = NULL;
+-	RSA * rsa = NULL;
++	COMPAT_RSA * rsa = NULL;
+ 	int certtype = 0;
+ 	int modulus_len = 0;
+ 	const prdata* key = get_prkey_by_cert(items, cert);
+diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
+index 339ad96c..5ac50174 100644
+--- a/src/libopensc/sc-ossl-compat.h
++++ b/src/libopensc/sc-ossl-compat.h
+@@ -273,6 +273,16 @@ static sc_ossl_inline void CRYPTO_secure_malloc_done()
+ 
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
++/* OpenSSL 3.0 changes return value of EVP_PKEY_get0_*() to const */
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++# define COMPAT_RSA RSA
++# define COMPAT_EC_KEY EC_KEY
++#else
++# define COMPAT_RSA const RSA
++# define COMPAT_EC_KEY const EC_KEY
++#endif
++
++
+ #ifdef __cplusplus
+ }
+ #endif /* __cplusplus */
+diff --git a/src/tests/p11test/p11test_case_common.c b/src/tests/p11test/p11test_case_common.c
+index 695ae2ea..73f147e0 100644
+--- a/src/tests/p11test/p11test_case_common.c
++++ b/src/tests/p11test/p11test_case_common.c
+@@ -20,6 +20,7 @@
+  */
+ 
+ #include "p11test_case_common.h"
++#include "../../libopensc/sc-ossl-compat.h"
+ 
+ char name_buffer[11];
+ char flag_buffer[11];
+@@ -208,7 +209,7 @@ int callback_certificates(test_certs_t *objects,
+ 
+ 	if (EVP_PKEY_base_id(evp) == EVP_PKEY_RSA) {
+ 		/* Extract public RSA key */
+-		RSA *rsa = EVP_PKEY_get0_RSA(evp);
++		COMPAT_RSA *rsa = EVP_PKEY_get0_RSA(evp);
+ 		if ((o->key.rsa = RSAPublicKey_dup(rsa)) == NULL) {
+ 			fail_msg("RSAPublicKey_dup failed");
+ 			return -1;
+@@ -218,7 +219,7 @@ int callback_certificates(test_certs_t *objects,
+ 
+ 	} else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
+ 		/* Extract public EC key */
+-		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(evp);
++		COMPAT_EC_KEY *ec = EVP_PKEY_get0_EC_KEY(evp);
+ 		if ((o->key.ec = EC_KEY_dup(ec)) == NULL) {
+ 			fail_msg("EC_KEY_dup failed");
+ 			return -1;
diff --git a/opensc.spec b/opensc.spec
index 12e12b5..165f4ca 100644
--- a/opensc.spec
+++ b/opensc.spec
@@ -16,6 +16,8 @@ Source2:        common.sh
 Patch1:         opensc-0.19.0-pinpad.patch
 # https://github.com/OpenSC/OpenSC/pull/2241/
 Patch5:         %{name}-gcc11.patch
+# https://github.com/OpenSC/OpenSC/pull/2343
+Patch6:         %{name}-0.21.0-openssl3.patch
 
 BuildRequires: make
 BuildRequires:  pcsc-lite-devel
@@ -54,6 +56,7 @@ every software/card that does so, too.
 %setup -q
 %patch1 -p1 -b .pinpad
 %patch5 -p1 -b .gcc11
+%patch6 -p1 -b .openssl3
 
 cp %{SOURCE2} tests/
 # The test-pkcs11-tool-allowed-mechanisms already works in Fedora
@@ -75,7 +78,7 @@ sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in
 %endif
 sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
 %set_build_flags
-CFLAGS="$CFLAGS -Wstrict-aliasing=2"
+CFLAGS="$CFLAGS -Wstrict-aliasing=2 -Wno-deprecated-declarations"
 %configure  --disable-static \
   --disable-autostart-items \
   --disable-notify \