opensc/opensc-0.21.0-openssl3.patch

diff --git a/src/libopensc/cwa14890.c b/src/libopensc/cwa14890.c
index da471abf..d854799e 100644
--- a/src/libopensc/cwa14890.c
+++ b/src/libopensc/cwa14890.c
@@ -519,8 +519,8 @@ static int cwa_internal_auth(sc_card_t * card, u8 * sig, size_t sig_len, u8 * da
  * @return SC_SUCCESS if ok; else errorcode
  */
 static int cwa_prepare_external_auth(sc_card_t * card,
-				     RSA * icc_pubkey,
-				     RSA * ifd_privkey,
+				     COMPAT_RSA * icc_pubkey,
+				     COMPAT_RSA * ifd_privkey,
 				     u8 * sig,
 				     size_t sig_len)
 {
@@ -594,7 +594,7 @@ static int cwa_prepare_external_auth(sc_card_t * card,
 	buf3[127] = 0xBC;	/* iso padding */
 
 	/* encrypt with ifd private key */
-	len2 = RSA_private_decrypt(128, buf3, buf2, ifd_privkey, RSA_NO_PADDING);
+	len2 = RSA_private_decrypt(128, buf3, buf2, (RSA *)ifd_privkey, RSA_NO_PADDING);
 	if (len2 < 0) {
 		msg = "Prepare external auth: ifd_privk encrypt failed";
 		res = SC_ERROR_SM_ENCRYPT_FAILED;
@@ -630,7 +630,7 @@ static int cwa_prepare_external_auth(sc_card_t * card,
 	}
 
 	/* re-encrypt result with icc public key */
-	len1 = RSA_public_encrypt(len3, buf3, buf1, icc_pubkey, RSA_NO_PADDING);
+	len1 = RSA_public_encrypt(len3, buf3, buf1, (RSA *)icc_pubkey, RSA_NO_PADDING);
 	if (len1 <= 0 || (size_t) len1 != sig_len) {
 		msg = "Prepare external auth: icc_pubk encrypt failed";
 		res = SC_ERROR_SM_ENCRYPT_FAILED;
@@ -842,8 +842,8 @@ static int cwa_compare_signature(u8 * data, size_t dlen, u8 * ifd_data)
  * @return SC_SUCCESS if ok; else error code
  */
 static int cwa_verify_internal_auth(sc_card_t * card,
-				    RSA * icc_pubkey,
-				    RSA * ifd_privkey,
+				    COMPAT_RSA * icc_pubkey,
+				    COMPAT_RSA * ifd_privkey,
 				    u8 * ifdbuf,
 				    size_t ifdlen,
 				    u8 * sig,
@@ -901,7 +901,7 @@ static int cwa_verify_internal_auth(sc_card_t * card,
 	 */
 
 	/* decrypt data with our ifd priv key */
-	len1 = RSA_private_decrypt(sig_len, sig, buf1, ifd_privkey, RSA_NO_PADDING);
+	len1 = RSA_private_decrypt(sig_len, sig, buf1, (RSA *)ifd_privkey, RSA_NO_PADDING);
 	if (len1 <= 0) {
 		msg = "Verify Signature: decrypt with ifd privk failed";
 		res = SC_ERROR_SM_ENCRYPT_FAILED;
@@ -911,7 +911,7 @@ static int cwa_verify_internal_auth(sc_card_t * card,
 	/* OK: now we have SIGMIN in buf1 */
 	/* check if SIGMIN data matches SIG or N.ICC-SIG */
 	/* evaluate DS[SK.ICC.AUTH](SIG) trying to decrypt with icc pubk */
-	len3 = RSA_public_encrypt(len1, buf1, buf3, icc_pubkey, RSA_NO_PADDING);
+	len3 = RSA_public_encrypt(len1, buf1, buf3, (RSA *) icc_pubkey, RSA_NO_PADDING);
 	if (len3 <= 0)
 		goto verify_nicc_sig;	/* evaluate N.ICC-SIG and retry */
 	res = cwa_compare_signature(buf3, len3, ifdbuf);
@@ -945,7 +945,7 @@ static int cwa_verify_internal_auth(sc_card_t * card,
 	}
 	/* ok: check again with new data */
 	/* evaluate DS[SK.ICC.AUTH](I.ICC-SIG) trying to decrypt with icc pubk */
-	len3 = RSA_public_encrypt(len2, buf2, buf3, icc_pubkey, RSA_NO_PADDING);
+	len3 = RSA_public_encrypt(len2, buf2, buf3, (RSA *)icc_pubkey, RSA_NO_PADDING);
 	if (len3 <= 0) {
 		msg = "Verify Signature: cannot get valid SIG data";
 		res = SC_ERROR_INVALID_DATA;
diff --git a/src/libopensc/p15card-helper.c b/src/libopensc/p15card-helper.c
index e641858d..1cee573f 100644
--- a/src/libopensc/p15card-helper.c
+++ b/src/libopensc/p15card-helper.c
@@ -143,7 +143,7 @@ CERT_HANDLE_FUNCTION(default_cert_handle) {
 	int r;
 	X509 *cert_data = NULL;
 	EVP_PKEY *pkey = NULL;
-	RSA * rsa = NULL;
+	COMPAT_RSA * rsa = NULL;
 	int certtype = 0;
 	int modulus_len = 0;
 	const prdata* key = get_prkey_by_cert(items, cert);
diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
index 339ad96c..5ac50174 100644
--- a/src/libopensc/sc-ossl-compat.h
+++ b/src/libopensc/sc-ossl-compat.h
@@ -273,6 +273,16 @@ static sc_ossl_inline void CRYPTO_secure_malloc_done()
 
 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
 
+/* OpenSSL 3.0 changes return value of EVP_PKEY_get0_*() to const */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+# define COMPAT_RSA RSA
+# define COMPAT_EC_KEY EC_KEY
+#else
+# define COMPAT_RSA const RSA
+# define COMPAT_EC_KEY const EC_KEY
+#endif
+
+
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */
diff --git a/src/tests/p11test/p11test_case_common.c b/src/tests/p11test/p11test_case_common.c
index 695ae2ea..73f147e0 100644
--- a/src/tests/p11test/p11test_case_common.c
+++ b/src/tests/p11test/p11test_case_common.c
@@ -20,6 +20,7 @@
  */
 
 #include "p11test_case_common.h"
+#include "../../libopensc/sc-ossl-compat.h"
 
 char name_buffer[11];
 char flag_buffer[11];
@@ -208,7 +209,7 @@ int callback_certificates(test_certs_t *objects,
 
 	if (EVP_PKEY_base_id(evp) == EVP_PKEY_RSA) {
 		/* Extract public RSA key */
-		RSA *rsa = EVP_PKEY_get0_RSA(evp);
+		COMPAT_RSA *rsa = EVP_PKEY_get0_RSA(evp);
 		if ((o->key.rsa = RSAPublicKey_dup(rsa)) == NULL) {
 			fail_msg("RSAPublicKey_dup failed");
 			return -1;
@@ -218,7 +219,7 @@ int callback_certificates(test_certs_t *objects,
 
 	} else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
 		/* Extract public EC key */
-		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(evp);
+		COMPAT_EC_KEY *ec = EVP_PKEY_get0_EC_KEY(evp);
 		if ((o->key.ec = EC_KEY_dup(ec)) == NULL) {
 			fail_msg("EC_KEY_dup failed");
 			return -1;
commit afc1cfa01b1f0ad59f292e306c594bd979fe8b0d
Author: Jakub Jelen <jjelen@redhat.com>
Date:   Thu Jul 15 08:55:13 2021 +0200

    Do not use EVP_PKEY_get0() for EC_KEY handling
    
    The function is intentionally broken in OpenSSL 3.0 for provided keys
    and returning NULL. But it should still work for the legacy gost engine
    implementation (but I do not have a good way to check).
    
    Discussed in openssl upstream issue:
    
    https://github.com/openssl/openssl/issues/16081

diff --git a/src/libopensc/pkcs15-prkey.c b/src/libopensc/pkcs15-prkey.c
index c7d2d011..d9b8d0b8 100644
--- a/src/libopensc/pkcs15-prkey.c
+++ b/src/libopensc/pkcs15-prkey.c
@@ -728,13 +728,13 @@ sc_pkcs15_convert_prkey(struct sc_pkcs15_prkey *pkcs15_key, void *evp_key)
 		}
 	case EVP_PKEY_EC: {
 		struct sc_pkcs15_prkey_ec *dst = &pkcs15_key->u.ec;
-		EC_KEY *src = NULL;
+		const EC_KEY *src = NULL;
 		const EC_GROUP *grp = NULL;
 		unsigned char buf[255];
 		size_t buflen = 255;
 		int nid;
 
-		src = EVP_PKEY_get0(pk);
+		src = EVP_PKEY_get0_EC_KEY(pk);
 		assert(src);
 		assert(EC_KEY_get0_private_key(src));
 		assert(EC_KEY_get0_public_key(src));
diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c
index ac8fda7b..b93a8c68 100644
--- a/src/libopensc/pkcs15-pubkey.c
+++ b/src/libopensc/pkcs15-pubkey.c
@@ -1783,13 +1783,13 @@ sc_pkcs15_convert_pubkey(struct sc_pkcs15_pubkey *pkcs15_key, void *evp_key)
 	}
 	case EVP_PKEY_EC: {
 		struct sc_pkcs15_pubkey_ec *dst = &pkcs15_key->u.ec;
-		EC_KEY *src = NULL;
+		const EC_KEY *src = NULL;
 		const EC_GROUP *grp = NULL;
 		unsigned char buf[255];
 		size_t buflen = 255;
 		int nid;
 
-		src = EVP_PKEY_get0(pk);
+		src = EVP_PKEY_get0_EC_KEY(pk);
 		assert(src);
 		assert(EC_KEY_get0_public_key(src));
 
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index ffd3666c..f87ce025 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -3143,18 +3143,18 @@ parse_gost_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost)
 static int
 parse_ec_pkey(EVP_PKEY *pkey, int private, struct gostkey_info *gost)
 {
-	EC_KEY *src = EVP_PKEY_get0(pkey);
+	const EC_KEY *src = EVP_PKEY_get0_EC_KEY(pkey);
 	const BIGNUM *bignum;
 
 	if (!src)
 		return -1;
 
-	gost->param_oid.len = i2d_ECParameters(src, &gost->param_oid.value);
+	gost->param_oid.len = i2d_ECParameters((EC_KEY *)src, &gost->param_oid.value);
 	if (gost->param_oid.len <= 0)
 		return -1;
 
 	if (private) {
-		bignum = EC_KEY_get0_private_key(EVP_PKEY_get0(pkey));
+		bignum = EC_KEY_get0_private_key(src);
 
 		gost->private.len = BN_num_bytes(bignum);
 		gost->private.value = malloc(gost->private.len);