openssl: rework openssl-1.1 support

Author: alonbl

configure.ac

@@ -303,48 +303,35 @@ if test "${have_openssl}" = "yes"; then
 	old_LIBS="${LIBS}"
 	LIBS="${LIBS} ${OPENSSL_LIBS}"
 	AC_CHECK_FUNC(
-		[ECDSA_METHOD_new],
+		[EC_KEY_METHOD_new],
 		[
 			openssl_ec="yes"
 			AC_DEFINE([ENABLE_PKCS11H_OPENSSL_EC], [1], [Enable openssl EC])
 		],
-		[
-			openssl_ec="hack"
-			old_CFLAGS="${CFLAGS}"
-			old_CPPFLAGS="${CPPFLAGS}"
-			CPPFLAGS="${CPPFLAGS} -I."
-			CFLAGS="${CFLAGS} ${OPENSSL_CFLAGS}"
-			AC_CHECK_HEADER(
-				[ecs_locl.h],
-				[
-					AC_DEFINE([ENABLE_PKCS11H_OPENSSL_EC], [1], [Enable openssl EC])
-					AC_DEFINE([ENABLE_PKCS11H_OPENSSL_EC_HACK], [1], [Enable openssl EC])
-					AC_DEFINE_UNQUOTED(
-						[ECDSA_METHOD_new(ecdsa)],
-						[(ECDSA_METHOD *)memmove(malloc(sizeof(ECDSA_METHOD)), ecdsa, sizeof(ECDSA_METHOD))],
-						[emulation],
-					)
-					AC_DEFINE_UNQUOTED(
-						[ECDSA_METHOD_free(ecdsa)],
-						[free(ecdsa)],
-						[emulation],
-					)
-					AC_DEFINE_UNQUOTED(
-						[ECDSA_METHOD_set_name(ecdsa, n)],
-						[ecdsa->name = n],
-						[emulation],
-					)
-					AC_DEFINE_UNQUOTED(
-						[ECDSA_METHOD_set_sign(ecdsa, s)],
-						[ecdsa->ecdsa_do_sign = s],
-						[emulation],
-					)
-				],
-				[openssl_ec="none"]
-			)
-			CPPFLAGS="${old_CPPFLAGS}"
-			CFLAGS="${old_CFLAGS}"
-		],
+		[AC_CHECK_FUNC(
+			[ECDSA_METHOD_new],
+			[
+				openssl_ec="yes"
+				AC_DEFINE([ENABLE_PKCS11H_OPENSSL_EC], [1], [Enable openssl EC])
+			],
+			[
+				openssl_ec="hack"
+				old_CFLAGS="${CFLAGS}"
+				old_CPPFLAGS="${CPPFLAGS}"
+				CPPFLAGS="${CPPFLAGS} -I."
+				CFLAGS="${CFLAGS} ${OPENSSL_CFLAGS}"
+				AC_CHECK_HEADER(
+					[ecs_locl.h],
+					[
+						AC_DEFINE([ENABLE_PKCS11H_OPENSSL_EC], [1], [Enable openssl EC])
+						AC_DEFINE([ENABLE_PKCS11H_OPENSSL_EC_HACK], [1], [Enable openssl EC])
+					],
+					[openssl_ec="none"]
+				)
+				CPPFLAGS="${old_CPPFLAGS}"
+				CFLAGS="${old_CFLAGS}"
+			],
+		)]
 	)
 	LIBS="${old_LIBS}"
 	AC_MSG_CHECKING([for OpenSSL ec support])
@@ -611,6 +598,7 @@ AC_CONFIG_FILES([
 	tests/Makefile
 	tests/test-basic/Makefile
 	tests/test-certificate/Makefile
+	tests/test-openssl/Makefile
 	tests/test-slotevent/Makefile
 ])
 AC_OUTPUT

include/pkcs11-helper-1.0/pkcs11h-openssl.h

@@ -67,6 +67,9 @@
 #define __PKCS11H_HELPER_H
 
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
 #include <pkcs11-helper-1.0/pkcs11h-core.h>
 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
 
@@ -147,10 +150,12 @@ pkcs11h_openssl_freeSession (
  * @param openssl_session	OpenSSL session reference.
  * @return RSA.
  */
+#ifndef OPENSSL_NO_RSA
 RSA *
 pkcs11h_openssl_session_getRSA (
 	IN const pkcs11h_openssl_session_t openssl_session
 );
+#endif
 
 /**
  * @brief Returns an EVP_PKEY out of the openssl_session object.

lib/_pkcs11h-crypto-openssl.c

@@ -55,6 +55,14 @@
 #if defined(ENABLE_PKCS11H_ENGINE_OPENSSL)
 #include <openssl/x509.h>
 
+/*
+ * Hack libressl incorrect interface number.
+ */
+#if defined(LIBRESSL_VERSION_NUMBER)
+#undef OPENSSL_VERSION_NUMBER
+#define OPENSSL_VERSION_NUMBER 0x1000107fL
+#endif
+
 #if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
 # define RSA_get_default_method RSA_get_default_openssl_method
 #else
@@ -72,6 +80,11 @@
 #endif
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_get0_notAfter X509_get_notAfter
+#define X509_get0_notBefore X509_get_notBefore
+#endif
+
 #if OPENSSL_VERSION_NUMBER < 0x00908000L
 typedef unsigned char *__pkcs11_openssl_d2i_t;
 #else
@@ -85,7 +98,9 @@ __pkcs11h_crypto_openssl_initialize (
 ) {
 	(void)global_data;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	OpenSSL_add_all_digests ();
+#endif
 
 	return TRUE;
 }
@@ -110,8 +125,8 @@ __pkcs11h_crypto_openssl_certificate_get_expiration (
 ) {
 	X509 *x509 = NULL;
 	__pkcs11_openssl_d2i_t d2i;
-	ASN1_TIME *notBefore;
-	ASN1_TIME *notAfter;
+	const ASN1_TIME *notBefore;
+	const ASN1_TIME *notAfter;
 
 	(void)global_data;
 
@@ -131,8 +146,8 @@ __pkcs11h_crypto_openssl_certificate_get_expiration (
 		goto cleanup;
 	}
 
-	notBefore = X509_get_notBefore (x509);
-	notAfter = X509_get_notAfter (x509);
+	notBefore = X509_get0_notBefore (x509);
+	notAfter = X509_get0_notAfter (x509);
 
 	if (
 		notBefore != NULL &&