From f052e8a5c68acc3568cd73fe25fa20efb68f7164 Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Thu, 7 Apr 2022 09:19:45 +0300
Subject: [PATCH] OpenSSL 3.0 support

IB-7357
Fixes #462

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 .github/workflows/build.yml  |  2 +-
 src/crypto/OpenSSLHelpers.h  |  2 ++
 src/crypto/PKCS12Signer.cpp  | 16 ++++++++--------
 src/crypto/X509CertStore.cpp |  9 ++++++++-
 src/crypto/X509Crypto.cpp    | 14 +++++++-------
 test/CMakeLists.txt          |  2 ++
 6 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8b5ba1e52..cfec7e861 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -96,7 +96,7 @@ jobs:
     container: ${{ matrix.container }}
     strategy:
       matrix:
-        container: ['ubuntu:18.04', 'ubuntu:20.04', 'ubuntu:21.10']
+        container: ['ubuntu:18.04', 'ubuntu:20.04', 'ubuntu:21.10', 'ubuntu:22.04']
     env:
       DEBIAN_FRONTEND: noninteractive
       DEBFULLNAME: 'github-actions'
diff --git a/src/crypto/OpenSSLHelpers.h b/src/crypto/OpenSSLHelpers.h
index b9fefeb09..a6f7d27df 100644
--- a/src/crypto/OpenSSLHelpers.h
+++ b/src/crypto/OpenSSLHelpers.h
@@ -68,7 +68,9 @@ class OpenSSLException : public Exception
             {
                 Exception e(ERR_lib_error_string(error), 0, ERR_error_string(error, nullptr));
                 if(ERR_GET_LIB(error) == ERR_R_BIO_LIB &&
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
                     ERR_GET_FUNC(error) == BIO_F_BIO_LOOKUP_EX &&
+#endif
                     ERR_GET_REASON(error) == ERR_R_SYS_LIB)
                     e.setCode(ExceptionCode::HostNotFound);
                 addCause(e);
diff --git a/src/crypto/PKCS12Signer.cpp b/src/crypto/PKCS12Signer.cpp
index 666f3d3e5..16bb69a95 100644
--- a/src/crypto/PKCS12Signer.cpp
+++ b/src/crypto/PKCS12Signer.cpp
@@ -75,31 +75,31 @@ vector<unsigned char> PKCS12Signer::sign(const string &method, const vector<unsi
     {
     case EVP_PKEY_RSA:
     {
-        RSA *rsa = EVP_PKEY_get0_RSA(d->key);
-        signature.resize(size_t(RSA_size(rsa)));
+        SCOPE(RSA, rsa, EVP_PKEY_get1_RSA(d->key));
+        signature.resize(size_t(RSA_size(rsa.get())));
         int nid = Digest::toMethod(method);
         if(Digest::isRsaPssUri(method)) {
             vector<unsigned char> em(signature.size());
-            if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, em.data(), digest.data(), EVP_get_digestbynid(nid), nullptr, RSA_PSS_SALTLEN_DIGEST))
+            if(!RSA_padding_add_PKCS1_PSS_mgf1(rsa.get(), em.data(), digest.data(), EVP_get_digestbynid(nid), nullptr, RSA_PSS_SALTLEN_DIGEST))
                 break;
-            if(RSA_private_encrypt(RSA_size(rsa), em.data(), signature.data(), rsa, RSA_NO_PADDING) == RSA_size(rsa))
+            if(RSA_private_encrypt(RSA_size(rsa.get()), em.data(), signature.data(), rsa.get(), RSA_NO_PADDING) == RSA_size(rsa.get()))
                 result = 1;
         } else {
             unsigned int size = (unsigned int)signature.size();
-            result = RSA_sign(nid, digest.data(), (unsigned int)digest.size(), signature.data(), &size, rsa);
+            result = RSA_sign(nid, digest.data(), (unsigned int)digest.size(), signature.data(), &size, rsa.get());
         }
         break;
     }
 #ifndef OPENSSL_NO_ECDSA
     case EVP_PKEY_EC:
     {
-        EC_KEY *ec = EVP_PKEY_get0_EC_KEY(d->key);
-        SCOPE(ECDSA_SIG, sig, ECDSA_do_sign(digest.data(), int(digest.size()), ec));
+        SCOPE(EC_KEY, ec, EVP_PKEY_get1_EC_KEY(d->key));
+        SCOPE(ECDSA_SIG, sig, ECDSA_do_sign(digest.data(), int(digest.size()), ec.get()));
         if(!sig)
              break;
 
         size_t keyLen = 0;
-        if(const EC_GROUP *group = EC_KEY_get0_group(ec))
+        if(const EC_GROUP *group = EC_KEY_get0_group(ec.get()))
         {
             BIGNUM *order = BN_new();
             if (EC_GROUP_get_order(group, order, nullptr))
diff --git a/src/crypto/X509CertStore.cpp b/src/crypto/X509CertStore.cpp
index 6ab61a5d1..8dd0b4cbc 100644
--- a/src/crypto/X509CertStore.cpp
+++ b/src/crypto/X509CertStore.cpp
@@ -28,8 +28,11 @@
 #include "util/File.h"
 
 #include <openssl/conf.h>
-#include <openssl/x509v3.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/provider.h>
+#endif
 #include <openssl/ssl.h>
+#include <openssl/x509v3.h>
 
 #include <algorithm>
 #include <iomanip>
@@ -70,6 +73,10 @@ class X509CertStore::Private: public vector<TSL::Service> {
 X509CertStore::X509CertStore()
     : d(new Private)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    void(OSSL_PROVIDER_load(nullptr, "legacy"));
+    void(OSSL_PROVIDER_load(nullptr, "default"));
+#endif
     SSL_load_error_strings();
     SSL_library_init();
     d->update();
diff --git a/src/crypto/X509Crypto.cpp b/src/crypto/X509Crypto.cpp
index 796b2af01..bcf3a2b48 100644
--- a/src/crypto/X509Crypto.cpp
+++ b/src/crypto/X509Crypto.cpp
@@ -216,10 +216,10 @@ bool X509Crypto::verify(const string &method, const vector<unsigned char> &diges
     {
     case EVP_PKEY_RSA:
     {
-        RSA *rsa = EVP_PKEY_get0_RSA(key);
-        auto decrypt = [rsa, &signature](int padding) {
-            vector<unsigned char> decrypted(size_t(RSA_size(rsa)));
-            int size = RSA_public_decrypt(int(signature.size()), signature.data(), decrypted.data(), rsa, padding);
+        SCOPE(RSA, rsa, EVP_PKEY_get1_RSA(key));
+        auto decrypt = [&rsa, &signature](int padding) {
+            vector<unsigned char> decrypted(size_t(RSA_size(rsa.get())));
+            int size = RSA_public_decrypt(int(signature.size()), signature.data(), decrypted.data(), rsa.get(), padding);
             if(size <= 0)
                 decrypted.clear();
             return decrypted;
@@ -228,7 +228,7 @@ bool X509Crypto::verify(const string &method, const vector<unsigned char> &diges
 
         if(Digest::isRsaPssUri(method)) {
             vector<unsigned char> decrypted = decrypt(RSA_NO_PADDING);
-            result = RSA_verify_PKCS1_PSS_mgf1(rsa, digest.data(), EVP_get_digestbynid(nid), nullptr, decrypted.data(), RSA_PSS_SALTLEN_DIGEST);
+            result = RSA_verify_PKCS1_PSS_mgf1(rsa.get(), digest.data(), EVP_get_digestbynid(nid), nullptr, decrypted.data(), RSA_PSS_SALTLEN_DIGEST);
         } else {
             vector<unsigned char> out = decrypt(RSA_PKCS1_PADDING);
             const unsigned char *p = out.data();
@@ -251,12 +251,12 @@ bool X509Crypto::verify(const string &method, const vector<unsigned char> &diges
 #ifndef OPENSSL_NO_ECDSA
     case EVP_PKEY_EC:
     {
-        EC_KEY *ec = EVP_PKEY_get0_EC_KEY(key);
+        SCOPE(EC_KEY, ec, EVP_PKEY_get1_EC_KEY(key));
         SCOPE(ECDSA_SIG, sig, ECDSA_SIG_new());
         ECDSA_SIG_set0(sig.get(),
             BN_bin2bn(signature.data(), int(signature.size()/2), nullptr),
             BN_bin2bn(&signature[signature.size()/2], int(signature.size()/2), nullptr));
-        result = ECDSA_do_verify(digest.data(), int(digest.size()), sig.get(), ec);
+        result = ECDSA_do_verify(digest.data(), int(digest.size()), sig.get(), ec.get());
         break;
     }
 #endif
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index 65a527f22..837d38e80 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -56,10 +56,12 @@ if( Boost_INCLUDE_DIR )
         COMMAND ${CMAKE_CURRENT_BINARY_DIR}/TSLTests -- EE_T-OCSP-invalid-type.xml bad ${CMAKE_CURRENT_SOURCE_DIR}/data
         WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/src
     )
+    if(OPENSSL_VERSION VERSION_LESS "3.0.0")
     add_test(NAME TSLTest_OCSP-withdrawn
         COMMAND ${CMAKE_CURRENT_BINARY_DIR}/TSLTests -- EE_T-OCSP-withdrawn.xml bad ${CMAKE_CURRENT_SOURCE_DIR}/data
         WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/src
     )
+    endif()
     add_test(NAME TSLTest_OCSP-withdrawn-granted-before
         COMMAND ${CMAKE_CURRENT_BINARY_DIR}/TSLTests -- EE_T-OCSP-withdrawn-granted-before.xml good ${CMAKE_CURRENT_SOURCE_DIR}/data
         WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/src