From 8723dbce048add87ce10fe8c72eea75c4f828ef8 Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Wed, 23 Jun 2021 13:16:25 +0000
Subject: [PATCH] genprotimg: add OpenSSL 3.0 support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add OpenSSL 3.0 support while still supporting OpenSSL 1.1.0 and newer. For this
set the OPENSSL_API_COMPAT user defined macro to OpenSSL 1.1.0 (see
https://www.openssl.org/docs/manmaster/man7/OPENSSL_API_COMPAT.html) so we don't
see any deprecation warnings when using OpenSSL 3.0. In addition, add an
compatibility layer for OpenSSL since some OpenSSL API functions were constified
with OpenSSL 3.0.

Fixes: https://github.com/ibm-s390-linux/s390-tools/issues/112
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
 CHANGELOG.md                          |  1 +
 genprotimg/src/Makefile               |  1 +
 genprotimg/src/utils/crypto.c         | 15 ++++++------
 genprotimg/src/utils/openssl_compat.h | 33 +++++++++++++++++++++++++++
 4 files changed, 43 insertions(+), 7 deletions(-)
 create mode 100644 genprotimg/src/utils/openssl_compat.h

diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile
index a71bb1e3..0e811d66 100644
--- a/genprotimg/src/Makefile
+++ b/genprotimg/src/Makefile
@@ -29,6 +29,7 @@ $(bin_PROGRAM)_OBJS := $($(bin_PROGRAM)_SRCS:.c=.o)
 
 ALL_CFLAGS += -std=gnu11 -DPKGDATADIR=$(PKGDATADIR) \
 	$(GLIB2_CFLAGS) $(LIBCRYPTO_CFLAGS) $(LIBCURL_CFLAGS) \
+	-DOPENSSL_API_COMPAT=0x10100000L \
 	$(WARNINGS) \
 	$(NULL)
 ALL_CPPFLAGS += $(INCLUDE_PARMS)
diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
index 2e4750b8..087de375 100644
--- a/genprotimg/src/utils/crypto.c
+++ b/genprotimg/src/utils/crypto.c
@@ -31,6 +31,7 @@
 
 #include "buffer.h"
 #include "curl.h"
+#include "openssl_compat.h"
 #include "crypto.h"
 
 #define DEFINE_GSLIST_MAP(t2, t1)					\
@@ -1438,7 +1439,7 @@ static const char *get_first_dp_url(DIST_POINT *dp)
 	return NULL;
 }
 
-static gboolean insert_crl(X509_NAME *name, X509_CRL *crl)
+static gboolean insert_crl(const X509_NAME *name, X509_CRL *crl)
 {
 	g_autofree gchar *key = NULL;
 
@@ -1453,7 +1454,7 @@ static gboolean insert_crl(X509_NAME *name, X509_CRL *crl)
 }
 
 /* Caller is responsible for free'ing */
-static X509_CRL *lookup_crl(X509_NAME *name)
+static X509_CRL *lookup_crl(const X509_NAME *name)
 {
 	g_autoptr(X509_CRL) crl = NULL;
 	g_autofree gchar *key = NULL;
@@ -1473,7 +1474,7 @@ static X509_CRL *lookup_crl(X509_NAME *name)
 }
 
 /* Returns empty stack if no CRL downloaded. */
-static STACK_OF_X509_CRL *crls_download_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
+static STACK_OF_X509_CRL *crls_download_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm)
 {
 	g_autoptr(STACK_OF_X509_CRL) crls = NULL;
 	g_autoptr(X509_CRL) crl = NULL;
@@ -1483,7 +1484,7 @@ static STACK_OF_X509_CRL *crls_download_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
 	crls = sk_X509_CRL_new_null();
 	if (!crls)
 		g_abort();
-	cert = X509_STORE_CTX_get_current_cert(ctx);
+	cert = Pv_X509_STORE_CTX_get_current_cert(ctx);
 	if (!cert)
 		return g_steal_pointer(&crls);
 	g_assert(X509_NAME_cmp(X509_get_issuer_name(cert), nm) == 0);
@@ -1527,19 +1528,19 @@ void STACK_OF_X509_CRL_free(STACK_OF_X509_CRL *stack)
 /* Downloaded CRLs have a higher precedence than the CRLs specified on the
  * command line.
  */
-static STACK_OF_X509_CRL *crls_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
+static STACK_OF_X509_CRL *crls_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm)
 {
 	g_autoptr(STACK_OF_X509_CRL) crls = crls_download_cb(ctx, nm);
 
 	if (sk_X509_CRL_num(crls) > 0)
 		return g_steal_pointer(&crls);
-	return X509_STORE_CTX_get1_crls(ctx, nm);
+	return Pv_X509_STORE_CTX_get1_crls(ctx, nm);
 }
 
 /* Set up CRL lookup with download support */
 void store_setup_crl_download(X509_STORE *st)
 {
-	X509_STORE_set_lookup_crls(st, crls_cb);
+	Pv_X509_STORE_set_lookup_crls(st, crls_cb);
 }
 
 /* Download a CRL using the URI specified in the distribution @crldp */
diff --git a/genprotimg/src/utils/openssl_compat.h b/genprotimg/src/utils/openssl_compat.h
new file mode 100644
index 00000000..791c31fc
--- /dev/null
+++ b/genprotimg/src/utils/openssl_compat.h
@@ -0,0 +1,33 @@
+/*
+ * OpenSSL compatibility utils
+ *
+ * Copyright IBM Corp. 2021
+ *
+ * s390-tools is free software; you can redistribute it and/or modify
+ * it under the terms of the MIT license. See LICENSE for details.
+ */
+
+#ifndef PV_UTILS_OPENSSL_COMPAT_H
+#define PV_UTILS_OPENSSL_COMPAT_H
+
+#include <openssl/opensslv.h>
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#define Pv_X509_STORE_CTX_get_current_cert(ctx)                                \
+	X509_STORE_CTX_get_current_cert((X509_STORE_CTX *)(ctx))
+#define Pv_X509_STORE_CTX_get1_crls(ctx, nm)                                   \
+	X509_STORE_CTX_get1_crls((X509_STORE_CTX *)(ctx), (X509_NAME *)(nm))
+#define Pv_X509_STORE_set_lookup_crls(st, cb)                                  \
+	X509_STORE_set_lookup_crls(st, (X509_STORE_CTX_lookup_crls_fn)(cb))
+#else
+#define Pv_X509_STORE_CTX_get_current_cert(ctx)                                \
+	X509_STORE_CTX_get_current_cert(ctx)
+#define Pv_X509_STORE_CTX_get1_crls(ctx, nm)                                   \
+	X509_STORE_CTX_get1_crls(ctx, nm)
+#define Pv_X509_STORE_set_lookup_crls(st, cb)                                  \
+	X509_STORE_set_lookup_crls(st, cb)
+#endif
+
+#endif