diff --git a/src/libopensc/cwa14890.c b/src/libopensc/cwa14890.c index da471abf..d854799e 100644 --- a/src/libopensc/cwa14890.c +++ b/src/libopensc/cwa14890.c @@ -519,8 +519,8 @@ static int cwa_internal_auth(sc_card_t * card, u8 * sig, size_t sig_len, u8 * da * @return SC_SUCCESS if ok; else errorcode */ static int cwa_prepare_external_auth(sc_card_t * card, - RSA * icc_pubkey, - RSA * ifd_privkey, + COMPAT_RSA * icc_pubkey, + COMPAT_RSA * ifd_privkey, u8 * sig, size_t sig_len) { @@ -594,7 +594,7 @@ static int cwa_prepare_external_auth(sc_card_t * card, buf3[127] = 0xBC; /* iso padding */ /* encrypt with ifd private key */ - len2 = RSA_private_decrypt(128, buf3, buf2, ifd_privkey, RSA_NO_PADDING); + len2 = RSA_private_decrypt(128, buf3, buf2, (RSA *)ifd_privkey, RSA_NO_PADDING); if (len2 < 0) { msg = "Prepare external auth: ifd_privk encrypt failed"; res = SC_ERROR_SM_ENCRYPT_FAILED; @@ -630,7 +630,7 @@ static int cwa_prepare_external_auth(sc_card_t * card, } /* re-encrypt result with icc public key */ - len1 = RSA_public_encrypt(len3, buf3, buf1, icc_pubkey, RSA_NO_PADDING); + len1 = RSA_public_encrypt(len3, buf3, buf1, (RSA *)icc_pubkey, RSA_NO_PADDING); if (len1 <= 0 || (size_t) len1 != sig_len) { msg = "Prepare external auth: icc_pubk encrypt failed"; res = SC_ERROR_SM_ENCRYPT_FAILED; @@ -842,8 +842,8 @@ static int cwa_compare_signature(u8 * data, size_t dlen, u8 * ifd_data) * @return SC_SUCCESS if ok; else error code */ static int cwa_verify_internal_auth(sc_card_t * card, - RSA * icc_pubkey, - RSA * ifd_privkey, + COMPAT_RSA * icc_pubkey, + COMPAT_RSA * ifd_privkey, u8 * ifdbuf, size_t ifdlen, u8 * sig, @@ -901,7 +901,7 @@ static int cwa_verify_internal_auth(sc_card_t * card, */ /* decrypt data with our ifd priv key */ - len1 = RSA_private_decrypt(sig_len, sig, buf1, ifd_privkey, RSA_NO_PADDING); + len1 = RSA_private_decrypt(sig_len, sig, buf1, (RSA *)ifd_privkey, RSA_NO_PADDING); if (len1 <= 0) { msg = "Verify Signature: decrypt with ifd privk failed"; res = SC_ERROR_SM_ENCRYPT_FAILED; @@ -911,7 +911,7 @@ static int cwa_verify_internal_auth(sc_card_t * card, /* OK: now we have SIGMIN in buf1 */ /* check if SIGMIN data matches SIG or N.ICC-SIG */ /* evaluate DS[SK.ICC.AUTH](SIG) trying to decrypt with icc pubk */ - len3 = RSA_public_encrypt(len1, buf1, buf3, icc_pubkey, RSA_NO_PADDING); + len3 = RSA_public_encrypt(len1, buf1, buf3, (RSA *) icc_pubkey, RSA_NO_PADDING); if (len3 <= 0) goto verify_nicc_sig; /* evaluate N.ICC-SIG and retry */ res = cwa_compare_signature(buf3, len3, ifdbuf); @@ -945,7 +945,7 @@ static int cwa_verify_internal_auth(sc_card_t * card, } /* ok: check again with new data */ /* evaluate DS[SK.ICC.AUTH](I.ICC-SIG) trying to decrypt with icc pubk */ - len3 = RSA_public_encrypt(len2, buf2, buf3, icc_pubkey, RSA_NO_PADDING); + len3 = RSA_public_encrypt(len2, buf2, buf3, (RSA *)icc_pubkey, RSA_NO_PADDING); if (len3 <= 0) { msg = "Verify Signature: cannot get valid SIG data"; res = SC_ERROR_INVALID_DATA; diff --git a/src/libopensc/p15card-helper.c b/src/libopensc/p15card-helper.c index e641858d..1cee573f 100644 --- a/src/libopensc/p15card-helper.c +++ b/src/libopensc/p15card-helper.c @@ -143,7 +143,7 @@ CERT_HANDLE_FUNCTION(default_cert_handle) { int r; X509 *cert_data = NULL; EVP_PKEY *pkey = NULL; - RSA * rsa = NULL; + COMPAT_RSA * rsa = NULL; int certtype = 0; int modulus_len = 0; const prdata* key = get_prkey_by_cert(items, cert); diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h index 339ad96c..5ac50174 100644 --- a/src/libopensc/sc-ossl-compat.h +++ b/src/libopensc/sc-ossl-compat.h @@ -273,6 +273,16 @@ static sc_ossl_inline void CRYPTO_secure_malloc_done() #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ +/* OpenSSL 3.0 changes return value of EVP_PKEY_get0_*() to const */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L +# define COMPAT_RSA RSA +# define COMPAT_EC_KEY EC_KEY +#else +# define COMPAT_RSA const RSA +# define COMPAT_EC_KEY const EC_KEY +#endif + + #ifdef __cplusplus } #endif /* __cplusplus */ diff --git a/src/tests/p11test/p11test_case_common.c b/src/tests/p11test/p11test_case_common.c index 695ae2ea..73f147e0 100644 --- a/src/tests/p11test/p11test_case_common.c +++ b/src/tests/p11test/p11test_case_common.c @@ -20,6 +20,7 @@ */ #include "p11test_case_common.h" +#include "../../libopensc/sc-ossl-compat.h" char name_buffer[11]; char flag_buffer[11]; @@ -208,7 +209,7 @@ int callback_certificates(test_certs_t *objects, if (EVP_PKEY_base_id(evp) == EVP_PKEY_RSA) { /* Extract public RSA key */ - RSA *rsa = EVP_PKEY_get0_RSA(evp); + COMPAT_RSA *rsa = EVP_PKEY_get0_RSA(evp); if ((o->key.rsa = RSAPublicKey_dup(rsa)) == NULL) { fail_msg("RSAPublicKey_dup failed"); return -1; @@ -218,7 +219,7 @@ int callback_certificates(test_certs_t *objects, } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) { /* Extract public EC key */ - EC_KEY *ec = EVP_PKEY_get0_EC_KEY(evp); + COMPAT_EC_KEY *ec = EVP_PKEY_get0_EC_KEY(evp); if ((o->key.ec = EC_KEY_dup(ec)) == NULL) { fail_msg("EC_KEY_dup failed"); return -1; commit afc1cfa01b1f0ad59f292e306c594bd979fe8b0d Author: Jakub Jelen Date: Thu Jul 15 08:55:13 2021 +0200 Do not use EVP_PKEY_get0() for EC_KEY handling The function is intentionally broken in OpenSSL 3.0 for provided keys and returning NULL. But it should still work for the legacy gost engine implementation (but I do not have a good way to check). Discussed in openssl upstream issue: https://github.com/openssl/openssl/issues/16081 diff --git a/src/libopensc/pkcs15-prkey.c b/src/libopensc/pkcs15-prkey.c index c7d2d011..d9b8d0b8 100644 --- a/src/libopensc/pkcs15-prkey.c +++ b/src/libopensc/pkcs15-prkey.c @@ -728,13 +728,13 @@ sc_pkcs15_convert_prkey(struct sc_pkcs15_prkey *pkcs15_key, void *evp_key) } case EVP_PKEY_EC: { struct sc_pkcs15_prkey_ec *dst = &pkcs15_key->u.ec; - EC_KEY *src = NULL; + const EC_KEY *src = NULL; const EC_GROUP *grp = NULL; unsigned char buf[255]; size_t buflen = 255; int nid; - src = EVP_PKEY_get0(pk); + src = EVP_PKEY_get0_EC_KEY(pk); assert(src); assert(EC_KEY_get0_private_key(src)); assert(EC_KEY_get0_public_key(src)); diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c index ac8fda7b..b93a8c68 100644 --- a/src/libopensc/pkcs15-pubkey.c +++ b/src/libopensc/pkcs15-pubkey.c @@ -1783,13 +1783,13 @@ sc_pkcs15_convert_pubkey(struct sc_pkcs15_pubkey *pkcs15_key, void *evp_key) } case EVP_PKEY_EC: { struct sc_pkcs15_pubkey_ec *dst = &pkcs15_key->u.ec; - EC_KEY *src = NULL; + const EC_KEY *src = NULL; const EC_GROUP *grp = NULL; unsigned char buf[255]; size_t buflen = 255; int nid; - src = EVP_PKEY_get0(pk); + src = EVP_PKEY_get0_EC_KEY(pk); assert(src); assert(EC_KEY_get0_public_key(src)); diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c index ffd3666c..f87ce025 100644 --- a/src/tools/pkcs11-tool.c +++ b/src/tools/pkcs11-tool.c @@ -3143,18 +3143,18 @@ parse_gost_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost) static int parse_ec_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost) { - EC_KEY *src = EVP_PKEY_get0(pkey); + const EC_KEY *src = EVP_PKEY_get0_EC_KEY(pkey); const BIGNUM *bignum; if (!src) return -1; - gost->param_oid.len = i2d_ECParameters(src, &gost->param_oid.value); + gost->param_oid.len = i2d_ECParameters((EC_KEY *)src, &gost->param_oid.value); if (gost->param_oid.len <= 0) return -1; if (private) { - bignum = EC_KEY_get0_private_key(EVP_PKEY_get0(pkey)); + bignum = EC_KEY_get0_private_key(src); gost->private.len = BN_num_bytes(bignum); gost->private.value = malloc(gost->private.len);