150 lines
5.5 KiB
Diff
150 lines
5.5 KiB
Diff
From 8723dbce048add87ce10fe8c72eea75c4f828ef8 Mon Sep 17 00:00:00 2001
|
|
From: Marc Hartmayer <mhartmay@linux.ibm.com>
|
|
Date: Wed, 23 Jun 2021 13:16:25 +0000
|
|
Subject: [PATCH] genprotimg: add OpenSSL 3.0 support
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Add OpenSSL 3.0 support while still supporting OpenSSL 1.1.0 and newer. For this
|
|
set the OPENSSL_API_COMPAT user defined macro to OpenSSL 1.1.0 (see
|
|
https://www.openssl.org/docs/manmaster/man7/OPENSSL_API_COMPAT.html) so we don't
|
|
see any deprecation warnings when using OpenSSL 3.0. In addition, add an
|
|
compatibility layer for OpenSSL since some OpenSSL API functions were constified
|
|
with OpenSSL 3.0.
|
|
|
|
Fixes: https://github.com/ibm-s390-linux/s390-tools/issues/112
|
|
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
|
|
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
|
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
|
---
|
|
CHANGELOG.md | 1 +
|
|
genprotimg/src/Makefile | 1 +
|
|
genprotimg/src/utils/crypto.c | 15 ++++++------
|
|
genprotimg/src/utils/openssl_compat.h | 33 +++++++++++++++++++++++++++
|
|
4 files changed, 43 insertions(+), 7 deletions(-)
|
|
create mode 100644 genprotimg/src/utils/openssl_compat.h
|
|
|
|
diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile
|
|
index a71bb1e3..0e811d66 100644
|
|
--- a/genprotimg/src/Makefile
|
|
+++ b/genprotimg/src/Makefile
|
|
@@ -29,6 +29,7 @@ $(bin_PROGRAM)_OBJS := $($(bin_PROGRAM)_SRCS:.c=.o)
|
|
|
|
ALL_CFLAGS += -std=gnu11 -DPKGDATADIR=$(PKGDATADIR) \
|
|
$(GLIB2_CFLAGS) $(LIBCRYPTO_CFLAGS) $(LIBCURL_CFLAGS) \
|
|
+ -DOPENSSL_API_COMPAT=0x10100000L \
|
|
$(WARNINGS) \
|
|
$(NULL)
|
|
ALL_CPPFLAGS += $(INCLUDE_PARMS)
|
|
diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
|
|
index 2e4750b8..087de375 100644
|
|
--- a/genprotimg/src/utils/crypto.c
|
|
+++ b/genprotimg/src/utils/crypto.c
|
|
@@ -31,6 +31,7 @@
|
|
|
|
#include "buffer.h"
|
|
#include "curl.h"
|
|
+#include "openssl_compat.h"
|
|
#include "crypto.h"
|
|
|
|
#define DEFINE_GSLIST_MAP(t2, t1) \
|
|
@@ -1438,7 +1439,7 @@ static const char *get_first_dp_url(DIST_POINT *dp)
|
|
return NULL;
|
|
}
|
|
|
|
-static gboolean insert_crl(X509_NAME *name, X509_CRL *crl)
|
|
+static gboolean insert_crl(const X509_NAME *name, X509_CRL *crl)
|
|
{
|
|
g_autofree gchar *key = NULL;
|
|
|
|
@@ -1453,7 +1454,7 @@ static gboolean insert_crl(X509_NAME *name, X509_CRL *crl)
|
|
}
|
|
|
|
/* Caller is responsible for free'ing */
|
|
-static X509_CRL *lookup_crl(X509_NAME *name)
|
|
+static X509_CRL *lookup_crl(const X509_NAME *name)
|
|
{
|
|
g_autoptr(X509_CRL) crl = NULL;
|
|
g_autofree gchar *key = NULL;
|
|
@@ -1473,7 +1474,7 @@ static X509_CRL *lookup_crl(X509_NAME *name)
|
|
}
|
|
|
|
/* Returns empty stack if no CRL downloaded. */
|
|
-static STACK_OF_X509_CRL *crls_download_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
|
|
+static STACK_OF_X509_CRL *crls_download_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm)
|
|
{
|
|
g_autoptr(STACK_OF_X509_CRL) crls = NULL;
|
|
g_autoptr(X509_CRL) crl = NULL;
|
|
@@ -1483,7 +1484,7 @@ static STACK_OF_X509_CRL *crls_download_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
|
|
crls = sk_X509_CRL_new_null();
|
|
if (!crls)
|
|
g_abort();
|
|
- cert = X509_STORE_CTX_get_current_cert(ctx);
|
|
+ cert = Pv_X509_STORE_CTX_get_current_cert(ctx);
|
|
if (!cert)
|
|
return g_steal_pointer(&crls);
|
|
g_assert(X509_NAME_cmp(X509_get_issuer_name(cert), nm) == 0);
|
|
@@ -1527,19 +1528,19 @@ void STACK_OF_X509_CRL_free(STACK_OF_X509_CRL *stack)
|
|
/* Downloaded CRLs have a higher precedence than the CRLs specified on the
|
|
* command line.
|
|
*/
|
|
-static STACK_OF_X509_CRL *crls_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
|
|
+static STACK_OF_X509_CRL *crls_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm)
|
|
{
|
|
g_autoptr(STACK_OF_X509_CRL) crls = crls_download_cb(ctx, nm);
|
|
|
|
if (sk_X509_CRL_num(crls) > 0)
|
|
return g_steal_pointer(&crls);
|
|
- return X509_STORE_CTX_get1_crls(ctx, nm);
|
|
+ return Pv_X509_STORE_CTX_get1_crls(ctx, nm);
|
|
}
|
|
|
|
/* Set up CRL lookup with download support */
|
|
void store_setup_crl_download(X509_STORE *st)
|
|
{
|
|
- X509_STORE_set_lookup_crls(st, crls_cb);
|
|
+ Pv_X509_STORE_set_lookup_crls(st, crls_cb);
|
|
}
|
|
|
|
/* Download a CRL using the URI specified in the distribution @crldp */
|
|
diff --git a/genprotimg/src/utils/openssl_compat.h b/genprotimg/src/utils/openssl_compat.h
|
|
new file mode 100644
|
|
index 00000000..791c31fc
|
|
--- /dev/null
|
|
+++ b/genprotimg/src/utils/openssl_compat.h
|
|
@@ -0,0 +1,33 @@
|
|
+/*
|
|
+ * OpenSSL compatibility utils
|
|
+ *
|
|
+ * Copyright IBM Corp. 2021
|
|
+ *
|
|
+ * s390-tools is free software; you can redistribute it and/or modify
|
|
+ * it under the terms of the MIT license. See LICENSE for details.
|
|
+ */
|
|
+
|
|
+#ifndef PV_UTILS_OPENSSL_COMPAT_H
|
|
+#define PV_UTILS_OPENSSL_COMPAT_H
|
|
+
|
|
+#include <openssl/opensslv.h>
|
|
+#include <openssl/x509.h>
|
|
+#include <openssl/x509_vfy.h>
|
|
+
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#define Pv_X509_STORE_CTX_get_current_cert(ctx) \
|
|
+ X509_STORE_CTX_get_current_cert((X509_STORE_CTX *)(ctx))
|
|
+#define Pv_X509_STORE_CTX_get1_crls(ctx, nm) \
|
|
+ X509_STORE_CTX_get1_crls((X509_STORE_CTX *)(ctx), (X509_NAME *)(nm))
|
|
+#define Pv_X509_STORE_set_lookup_crls(st, cb) \
|
|
+ X509_STORE_set_lookup_crls(st, (X509_STORE_CTX_lookup_crls_fn)(cb))
|
|
+#else
|
|
+#define Pv_X509_STORE_CTX_get_current_cert(ctx) \
|
|
+ X509_STORE_CTX_get_current_cert(ctx)
|
|
+#define Pv_X509_STORE_CTX_get1_crls(ctx, nm) \
|
|
+ X509_STORE_CTX_get1_crls(ctx, nm)
|
|
+#define Pv_X509_STORE_set_lookup_crls(st, cb) \
|
|
+ X509_STORE_set_lookup_crls(st, cb)
|
|
+#endif
|
|
+
|
|
+#endif
|