From 57e68ab9c57f30a84c9e3022bbcd97278b18952a Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 22 Jun 2021 10:55:31 +0200
Subject: [PATCH] openssl: Improve compatibility to newer BoringSSL releases

Closes strongswan/strongswan#352
---
 .../plugins/openssl/openssl_diffie_hellman.c              | 3 ++-
 .../plugins/openssl/openssl_ec_diffie_hellman.c           | 8 ++++----
 .../plugins/openssl/openssl_rsa_private_key.c             | 2 +-
 .../plugins/openssl/openssl_rsa_public_key.c              | 2 +-
 src/libstrongswan/plugins/openssl/openssl_util.h          | 7 ++++++-
 5 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index a567f5f4f..bee56a425 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -168,7 +168,8 @@ static status_t set_modulus(private_openssl_diffie_hellman_t *this)
 	}
 	if (params->exp_len != params->prime.len)
 	{
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) && \
+	(!defined(BORINGSSL_API_VERSION) || BORINGSSL_API_VERSION < 11)
 		this->dh->priv_length = params->exp_len * 8;
 #else
 		if (!DH_set_length(this->dh, params->exp_len * 8))
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 98dacc4f6..9fb334c08 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -21,7 +21,7 @@
 #include <openssl/ec.h>
 #include <openssl/objects.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_BORINGSSL)
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
 #include <openssl/bn.h>
 #endif
 
@@ -67,7 +67,7 @@ struct private_openssl_ec_diffie_hellman_t {
 	bool computed;
 };
 
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_BORINGSSL)
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
 /**
  * Convert a chunk to an EC_POINT and set it on the given key. The x and y
  * coordinates of the point have to be concatenated in the chunk.
@@ -202,7 +202,7 @@ METHOD(diffie_hellman_t, set_other_public_value, bool,
 		goto error;
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_BORINGSSL)
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
 	if (!chunk2ecp(this->ec_group, value, pub))
 	{
 		DBG1(DBG_LIB, "ECDH public value is malformed");
@@ -235,7 +235,7 @@ error:
 METHOD(diffie_hellman_t, get_my_public_value, bool,
 	private_openssl_ec_diffie_hellman_t *this, chunk_t *value)
 {
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_BORINGSSL)
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
 	return ecp2chunk(this->ec_group, this->key, value);
 #else
 	chunk_t pub;
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index 88450a67a..6cf20e247 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -279,7 +279,7 @@ METHOD(private_key_t, sign, bool,
 			return build_emsa_pkcs1_signature(this, NID_sha384, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 			return build_emsa_pkcs1_signature(this, NID_sha512, data, signature);
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_SHA3) && !defined(OPENSSL_IS_BORINGSSL)
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_SHA3)
 		case SIGN_RSA_EMSA_PKCS1_SHA3_224:
 			return build_emsa_pkcs1_signature(this, NID_sha3_224, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA3_256:
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index db836f8e4..4cdb883cc 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -280,7 +280,7 @@ METHOD(public_key_t, verify, bool,
 			return verify_emsa_pkcs1_signature(this, NID_sha384, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA2_512:
 			return verify_emsa_pkcs1_signature(this, NID_sha512, data, signature);
-#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_SHA3) && !defined(OPENSSL_IS_BORINGSSL)
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_SHA3)
 		case SIGN_RSA_EMSA_PKCS1_SHA3_224:
 			return verify_emsa_pkcs1_signature(this, NID_sha3_224, data, signature);
 		case SIGN_RSA_EMSA_PKCS1_SHA3_256:
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
index f226fef0e..0b5562c4e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.h
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -153,10 +153,15 @@ time_t openssl_asn1_to_time(const ASN1_TIME *time);
 /**
  * Compatibility macros
  */
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) && \
+	(!defined(BORINGSSL_API_VERSION) || BORINGSSL_API_VERSION < 10)
 #define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type)
 #endif
 
+#ifndef OPENSSL_INIT_ENGINE_ALL_BUILTIN
+#define OPENSSL_INIT_ENGINE_ALL_BUILTIN 0
+#endif
+
 /**
  * Macros to define fallback getters/setters to access keys (BIGNUM*) for types
  * that were made opaque with OpenSSL 1.1.0.
-- 
2.47.3