From: Alberto Leiva Popper Date: Thu, 2 Jul 2026 18:46:43 +0000 (-0600) Subject: Add support for OpenSSL 4 X-Git-Tag: 1.7.0.experimental~3^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c6523378fa6bd4f4cf2540e28cfb5e3e55ab36cd;p=thirdparty%2FFORT-validator.git Add support for OpenSSL 4 Previous maximum OpenSSL was 3. F1xes #183. --- diff --git a/src/asn1/asn1c/Certificate.c b/src/asn1/asn1c/Certificate.c index ca506047..3ac86a30 100644 --- a/src/asn1/asn1c/Certificate.c +++ b/src/asn1/asn1c/Certificate.c @@ -34,7 +34,7 @@ pk2json(X509 const *x) { json_t *root; json_t *child; - X509_PUBKEY *pubkey; + X509_PUBKEY const *pubkey; ASN1_OBJECT *oid; root = json_obj_new(); diff --git a/src/crypto/base64.c b/src/crypto/base64.c index 27103a69..15c19695 100644 --- a/src/crypto/base64.c +++ b/src/crypto/base64.c @@ -239,18 +239,20 @@ base64url_encode(unsigned char const *in, int in_len, char **result) return false; } - /* - * TODO (SLURM, RK) WHY IS THERE NO ERROR HANDLING HERE - * ARGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHH - */ mem = BIO_push(b64, mem); BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); - BIO_write(b64, in, in_len); - BIO_flush(b64); + + if (BIO_write(b64, in, in_len) < 0) + goto fail; + if (BIO_flush(b64) <= 0) + goto fail; BIO_get_mem_ptr(mem, &mem_buf); *result = to_base64url(mem_buf->data, mem_buf->length); BIO_free_all(b64); return true; + +fail: BIO_free_all(b64); + return false; } diff --git a/src/extension.c b/src/extension.c index 72531a36..e553763b 100644 --- a/src/extension.c +++ b/src/extension.c @@ -1,5 +1,8 @@ #include "extension.h" +#if OPENSSL_VERSION_MAJOR >= 4 +#include +#endif #include #include #include @@ -932,7 +935,7 @@ cannot_decode(struct extension_metadata const *meta) int validate_public_key_hash(X509 *cert, ASN1_OCTET_STRING *hash) { - X509_PUBKEY *pubkey; + X509_PUBKEY const *pubkey; const unsigned char *spk; int spk_len; int ok; diff --git a/src/libcrypto_util.c b/src/libcrypto_util.c index 74437c55..5ef9c51e 100644 --- a/src/libcrypto_util.c +++ b/src/libcrypto_util.c @@ -1,5 +1,8 @@ #include "libcrypto_util.h" +#if OPENSSL_VERSION_MAJOR >= 4 +#include +#endif #include #include #include @@ -30,14 +33,16 @@ asn1time2str(ASN1_TIME const *tm) if (bio == NULL) enomem_panic(); + res = NULL; if (BIO_PR_TIME(bio, tm) <= 0) - return NULL; + goto end; + if (BIO_flush(bio) <= 0) + goto end; - BIO_flush(bio); BIO_get_mem_ptr(bio, &buf); res = pstrndup(buf->data, buf->length); - BIO_free_all(bio); +end: BIO_free_all(bio); return res; } @@ -134,7 +139,7 @@ name2json(X509_NAME const *name) { json_t *root, *rdnSeq; json_t *typeval, *child; - X509_NAME_ENTRY *entry; + X509_NAME_ENTRY const *entry; int nid; const ASN1_STRING *data; int i; diff --git a/src/object/bgpsec.c b/src/object/bgpsec.c index 8f5a45d6..2b86c990 100644 --- a/src/object/bgpsec.c +++ b/src/object/bgpsec.c @@ -28,7 +28,7 @@ handle_bgpsec(X509 *cert, struct resources *parent_resources, struct rpp *pp) unsigned char *ski; enum rpki_policy policy; struct resources *resources; - X509_PUBKEY *pub_key; + X509_PUBKEY const *pub_key; unsigned char *cert_spk, *tmp; int cert_spk_len; struct resource_params res_params; diff --git a/src/object/certificate.c b/src/object/certificate.c index ac5108ee..911bd480 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -1,5 +1,8 @@ #include "object/certificate.h" +#if OPENSSL_VERSION_MAJOR >= 4 +#include +#endif #include #include #if OPENSSL_VERSION_MAJOR >= 3 @@ -192,7 +195,7 @@ validate_printable_string(char const *str, char const *what) static int validate_issuer(X509 *cert, bool is_ta) { - X509_NAME *issuer; + X509_NAME const *issuer; struct rfc5280_name *name; char const *commonName; int error; @@ -221,7 +224,7 @@ validate_issuer(X509 *cert, bool is_ta) * @diff_pk_cb when the public key is different; return 0 if both are equal. */ static int -spki_cmp(X509_PUBKEY *tal_spki, X509_PUBKEY *cert_spki, +spki_cmp(X509_PUBKEY *tal_spki, X509_PUBKEY const *cert_spki, int (*diff_alg_cb)(void), int (*diff_pk_cb)(void)) { ASN1_OBJECT *tal_alg; @@ -317,7 +320,7 @@ root_different_pk_err(void) } static int -validate_spki(X509_PUBKEY *cert_spki) +validate_spki(X509_PUBKEY const *cert_spki) { struct validation *state; struct tal *tal; @@ -369,7 +372,7 @@ validate_spki(X509_PUBKEY *cert_spki) * 2048-bit modulus and a public exponent (e) of 65,537." */ static int -validate_subject_public_key(X509_PUBKEY *pubkey) +validate_subject_public_key(X509_PUBKEY const *pubkey) { #if OPENSSL_VERSION_MAJOR >= 3 @@ -504,7 +507,7 @@ validate_subject_public_key(X509_PUBKEY *pubkey) static int validate_public_key(X509 *cert, enum cert_type type) { - X509_PUBKEY *pubkey; + X509_PUBKEY const *pubkey; EVP_PKEY *evppkey; X509_ALGOR *pa; int ok; @@ -767,7 +770,7 @@ certificate_validate_signature(X509 *cert, ANY_t *signedData, { static const uint8_t EXPLICIT_SET_OF_TAG = 0x31; - X509_PUBKEY *public_key; + X509_PUBKEY const *public_key; EVP_MD_CTX *ctx; struct encoded_signedAttrs signedAttrs; int error; @@ -1131,9 +1134,9 @@ abort: } static int -handle_ip_extension(X509_EXTENSION *ext, struct resources *resources) +handle_ip_extension(X509_EXTENSION const *ext, struct resources *resources) { - ASN1_OCTET_STRING *string; + ASN1_OCTET_STRING const *string; struct IPAddrBlocks *blocks; OCTET_STRING_t *family; int i; @@ -1180,10 +1183,10 @@ end: } static int -handle_asn_extension(X509_EXTENSION *ext, struct resources *resources, +handle_asn_extension(X509_EXTENSION const *ext, struct resources *resources, bool allow_inherit) { - ASN1_OCTET_STRING *string; + ASN1_OCTET_STRING const *string; struct ASIdentifiers *ids; int error; @@ -1204,7 +1207,7 @@ __certificate_get_resources(X509 *cert, struct resources *resources, int addr_nid, int asn_nid, int bad_addr_nid, int bad_asn_nid, char const *policy_rfc, char const *bad_ext_rfc, bool allow_asn_inherit) { - X509_EXTENSION *ext; + X509_EXTENSION const *ext; int nid; int i; int error; diff --git a/src/object/name.c b/src/object/name.c index e8c3d728..598781a0 100644 --- a/src/object/name.c +++ b/src/object/name.c @@ -1,5 +1,8 @@ #include "object/name.h" +#if OPENSSL_VERSION_MAJOR >= 4 +#include +#endif #include #include #include @@ -21,7 +24,7 @@ struct rfc5280_name { }; static int -name2string(X509_NAME_ENTRY *name, char **_result) +name2string(X509_NAME_ENTRY const *name, char **_result) { const ASN1_STRING *data; char *result; @@ -39,12 +42,12 @@ name2string(X509_NAME_ENTRY *name, char **_result) } int -x509_name_decode(X509_NAME *name, char const *what, +x509_name_decode(X509_NAME const *name, char const *what, struct rfc5280_name **_result) { struct rfc5280_name *result; int i; - X509_NAME_ENTRY *entry; + X509_NAME_ENTRY const *entry; int nid; int error; @@ -139,7 +142,7 @@ x509_name_equals(struct rfc5280_name *a, struct rfc5280_name *b) } int -validate_issuer_name(char const *container, X509_NAME *issuer) +validate_issuer_name(char const *container, X509_NAME const *issuer) { struct validation *state; X509 *parent; @@ -193,7 +196,7 @@ end: x509_name_put(parent_subject); } void -x509_name_pr_debug(const char *prefix, X509_NAME *name) +x509_name_pr_debug(const char *prefix, X509_NAME const *name) { if (!log_val_enabled(LOG_DEBUG)) return; diff --git a/src/object/name.h b/src/object/name.h index 4ded9d2e..de988533 100644 --- a/src/object/name.h +++ b/src/object/name.h @@ -7,7 +7,7 @@ struct rfc5280_name; /* Constructor */ -int x509_name_decode(X509_NAME *, char const *, struct rfc5280_name **); +int x509_name_decode(X509_NAME const *, char const *, struct rfc5280_name **); /* Reference counting */ void x509_name_get(struct rfc5280_name *); void x509_name_put(struct rfc5280_name *); @@ -20,8 +20,8 @@ bool x509_name_equals(struct rfc5280_name *, struct rfc5280_name *); /* X509_NAME utils */ -int validate_issuer_name(char const *, X509_NAME *); +int validate_issuer_name(char const *, X509_NAME const *); -void x509_name_pr_debug(char const *, X509_NAME *); +void x509_name_pr_debug(char const *, X509_NAME const *); #endif /* SRC_OBJECT_NAME_H_ */ diff --git a/src/str_token.c b/src/str_token.c index 05e4fcb4..6963f43b 100644 --- a/src/str_token.c +++ b/src/str_token.c @@ -1,5 +1,8 @@ #include "str_token.h" +#if OPENSSL_VERSION_MAJOR >= 4 +#include +#endif #include #include #include