Add support for OpenSSL 3.0.0, drop support for OpenSSL < 1.1.0

certnanny · Jul 30, 2021 · 153dd1b · 153dd1b
1 parent 02a52d5
commit 153dd1b
Show file tree

Hide file tree

Showing 17 changed files with 88 additions and 62 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,7 +2,6 @@
 /sscep_static
 /sscep_dyn
 /.git_checkout
-/src/config.h*
 /src/*.o
 /sscep-*.tar.gz
 /sscep-*.tar.bz2

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -5,8 +5,12 @@ project(sscep)
 if (WIN32)
     set(OPENSSL_USE_STATIC_LIBS TRUE)
 endif()
+
+set(OPENSSL_MIN_VERSION 1.1.0)
 find_package(OpenSSL REQUIRED)
 
+option(ENABLE_ENGINES "Enable support for OpenSSL ENGINE API")
+
 # For IDE such as Visual Studio we include also the header files
 set(SSCEP_SOURCES
     src/sscep.c
@@ -17,8 +21,6 @@ set(SSCEP_SOURCES
     src/getopt.h
     src/configuration.c
     src/configuration.h
-    src/engine.c
-    src/engine.h
     src/net.c
     src/picohttpparser.c
     src/picohttpparser.h
@@ -30,6 +32,15 @@ set(SSCEP_SOURCES
     src/sceputils.c
 )
 
+if (ENABLE_ENGINES)
+    set(SSCEP_SOURCES
+        ${SSCEP_SOURCES}
+        src/engine.c
+        src/engine.h
+    )
+    add_definitions(-DWITH_ENGINES)
+endif()
+
 if (MSVC)
     add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 endif()

diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,12 @@
 SSCEP Release history
 ========================================
 
+v0.10.0 (2021-?-?)
+* Compatible with OpenSSL 3.0.0
+* Engines are now disabled by default and need to be enabled by
+  `./configure --enable-engines` or `cmake . -DENABLE_ENGINES=ON`
+* Removed support for OpenSSL < 1.1.0
+
 v0.9.1 (2021-07-31)
 * Fixed missing Host header (@papperlapapp)
 * Fixed multiple numeric overflows (@ziemleszcz)

diff --git a/Makefile.am b/Makefile.am
@@ -9,8 +9,6 @@ sscep_SOURCES = src/sscep.c \
                 src/getopt.h \
                 src/configuration.c \
                 src/configuration.h \
-                src/engine.c \
-                src/engine.h \
                 src/net.c \
                 src/picohttpparser.c \
                 src/picohttpparser.h \
@@ -20,6 +18,10 @@ sscep_SOURCES = src/sscep.c \
                 src/fileutils.c \
                 src/fileutils_capi.h \
                 src/sceputils.c
+if WITH_ENGINES
+sscep_SOURCES += src/engine.c \
+                 src/engine.h
+endif
 
 dist_doc_DATA = COPYING \
                 README.md

diff --git a/README.md b/README.md
@@ -41,6 +41,9 @@ Currently, SSCEP implements:
 * All of the SCEP operations using SCEP query messages
 * HTTP/1.1 queries via IPv4 or IPv6
 * Integration with OpenSSL cryptographic engines
+  * sscep 0.3.0 - 0.6.1 works with openssl 0.9.7 - 1.0.2
+  * sscep 0.7.0 - 0.9.0 works with openssl 0.9.7 - 1.1.1
+  * sscep 0.10.0 works with openssl 1.1.0 - 3.0.0
 
 There's no LDAP support, and probably there will never be (that's why it is
 simple).
@@ -127,7 +130,6 @@ $ brew install autoconf automake libtool pkg-config openssl
 
 To generate the configure script when checking out from github source:
 ```cmd
-$ autoheader
 $ glibtoolize
 $ aclocal
 $ automake -a -c -f

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.9.1
+0.10.0
diff --git a/bootstrap.sh b/bootstrap.sh
@@ -1,6 +1,5 @@
 #!/bin/sh
 libtoolize
 aclocal
-autoheader
 automake --add-missing
 autoconf
diff --git a/configure.ac b/configure.ac
@@ -2,20 +2,24 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.69])
-AC_INIT([sscep],[0.9.1],[[email protected]])
+AC_INIT([sscep],[0.10.0],[[email protected]])
 AC_CONFIG_AUX_DIR([build-aux])
 AM_INIT_AUTOMAKE([foreign subdir-objects dist-bzip2])
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
-AC_CONFIG_HEADERS([src/config.h])
 AC_CONFIG_SRCDIR([src/sscep.c])
 AC_CONFIG_MACRO_DIR([m4])
 LT_INIT
 
+AC_ARG_ENABLE([engines],
+    AS_HELP_STRING([--enable-engines], [Enable support for OpenSSL ENGINE API]))
+AM_CONDITIONAL(WITH_ENGINES, test "x$enable_engines" = "xyes")
+AS_IF([test "x$enable_engines" = "xyes"], [AC_DEFINE([WITH_ENGINES], [1], [ENGINE API enabled])])
+
 # Checks for programs.
 AC_PROG_CC
 
 # Checks for libraries.
-PKG_CHECK_MODULES(openssl, openssl >= 0.9.7)
+PKG_CHECK_MODULES(openssl, openssl >= 1.1.0)
 #
 CFLAGS="$CFLAGS $openssl_CFLAGS"
 CPPFLAGS="$CPPFLAGS $openssl_CPPFLAGS"

diff --git a/scripts/sscep.spec b/scripts/sscep.spec
@@ -4,14 +4,14 @@
 #
 
 Name:         sscep
-Version:      0.9.1
+Version:      0.10.0
 Release:      1
 Summary:      Simple SCEP client
 License:      BSD
 Group:        Productivity/Security
 Source:       %{name}-%{version}.tar.gz
 URL:          https://github.com/certnanny/sscep
-Requires:     openssl >= 1:0.9.7
+Requires:     openssl >= 1:1.1.0
 
 %description
 Simple SCEP (Simple Certificate Enrollment Protocol) client.

diff --git a/src/cmd.h b/src/cmd.h
@@ -39,9 +39,11 @@ extern char *f_char;
 extern char *F_char;
 extern int F_flag;
 
+#ifdef WITH_ENGINES
 /* enable EnGine support */
 extern char *g_char;
 extern int g_flag;
+#endif
 
 /* enable hwcrhk keys
  * To set this means that the new key (for which you have the

diff --git a/src/conf.h b/src/conf.h
@@ -4,7 +4,8 @@
  * Copyright (c) Jarkko Turkulainen 2003. All rights reserved.
  * See the file COPYRIGHT for licensing information.
  */
-
+#ifndef CONF_H
+#define CONF_H
 
 /* Network timeout */
 #define	TIMEOUT		120
@@ -27,3 +28,4 @@
 /* Transaction id for GetCert and GetCrl methods */
 #define TRANS_ID_GETCERT	"SSCEP transactionId"
 
+#endif /* ifndef CONF_H */
diff --git a/src/configuration.c b/src/configuration.c
@@ -160,11 +160,12 @@ int scep_conf_init(char *filename, int operation_flag) {
 
 
         //write g_char, but ONLY if not defined already (command line overwrites config file)
+#ifdef WITH_ENGINES
 		if(!g_flag) {
 			g_flag = 1;
 			g_char = strdup(scep_conf->engine->engine_id);
 		}
-
+#endif
 		//load the special section string
 		engine_special_section = (char *) malloc(sizeof(SCEP_CONFIGURATION_SECTION_ENGINE_TEMPLATE) + sizeof(scep_conf->engine->engine_id));
 		sprintf(engine_special_section, SCEP_CONFIGURATION_SECTION_ENGINE_TEMPLATE, scep_conf->engine->engine_id);

diff --git a/src/engine.c b/src/engine.c
@@ -23,23 +23,23 @@ ENGINE *scep_engine_init() {
 		if(scep_conf && scep_conf->engine->module_path) {
 			if(ENGINE_ctrl_cmd_string(e, "MODULE_PATH", scep_conf->engine->module_path, 0) == 0) {
 				fprintf(stderr, "%s: Adding MODULE PATH %s was not successful!\n", pname, scep_conf->engine->module_path);
-				sscep_engine_report_error();
+				ERR_print_errors_fp(stderr);
 				exit (SCEP_PKISTATUS_ERROR);
 			}
 		}
 
 		//define this engine as a default for all our crypto operations. This way OpenSSL automatically chooses the right functions
 		if(ENGINE_set_default(e, ENGINE_METHOD_ALL) == 0) {
 				fprintf(stderr, "%s: Error loading on setting defaults\n", pname);
-				sscep_engine_report_error();
+				ERR_print_errors_fp(stderr);
 				exit (SCEP_PKISTATUS_ERROR);
 		} else if(v_flag)
 			printf("%s: Engine %s made default for all operations\n", pname, g_char);
 
 		//we need a functional reference and as such need to initialize
 		if(ENGINE_init(e) == 0) {
 			fprintf(stderr, "%s: Engine Init did not work\n", pname);
-			sscep_engine_report_error();
+			ERR_print_errors_fp(stderr);
 			exit (SCEP_PKISTATUS_ERROR);
 		} else if(v_flag)
 			printf("%s: Engine %s initialized\n", pname, g_char);
@@ -52,13 +52,13 @@ ENGINE *scep_engine_init() {
 			// set debug level
 			if(!ENGINE_ctrl(e, (ENGINE_CMD_BASE + 2), 2, NULL, NULL)) {
 				fprintf(stderr, "%s: Could not set debug level to %i\n", pname, 2);
-				sscep_engine_report_error();
+				ERR_print_errors_fp(stderr);
 				exit (SCEP_PKISTATUS_ERROR);
 			}
 			// set debug file (log)
 			if(!ENGINE_ctrl(e, (ENGINE_CMD_BASE + 3), 0, "capi.log", NULL)) {
 				fprintf(stderr, "%s: Could not set debug file to %s\n", pname, "capi.log");
-				sscep_engine_report_error();
+				ERR_print_errors_fp(stderr);
 				exit (SCEP_PKISTATUS_ERROR);
 			}
 		}
@@ -68,31 +68,31 @@ ENGINE *scep_engine_init() {
 			if(scep_conf->engine->storepass) {
 				if(!ENGINE_ctrl(e, 2, 0, scep_conf->engine->storepass, NULL)) {
 					fprintf(stderr, "%s: Could not set %s\n", pname, SCEP_CONFIGURATION_ENGINE_JKSENGINE_KEYSTOREPASS);
-					sscep_engine_report_error();
+					ERR_print_errors_fp(stderr);
 					exit (SCEP_PKISTATUS_ERROR);
 				}
 			}
 
 			if(scep_conf->engine->jconnpath) {
 				if(!ENGINE_ctrl(e, 3, 0, scep_conf->engine->jconnpath, 0)) {
 					fprintf(stderr, "%s: Could not set %s\n", pname, SCEP_CONFIGURATION_ENGINE_JKSENGINE_JCONNPATH);
-					sscep_engine_report_error();
+					ERR_print_errors_fp(stderr);
 					exit (SCEP_PKISTATUS_ERROR);
 				}
 			}
 
 			if(scep_conf->engine->provider) {
 				if(!ENGINE_ctrl(e, 4, 0, scep_conf->engine->provider, 0)) {
 					fprintf(stderr, "%s: Could not set %s\n", pname, SCEP_CONFIGURATION_ENGINE_JKSENGINE_PROVIDER);
-					sscep_engine_report_error();
+					ERR_print_errors_fp(stderr);
 					exit (SCEP_PKISTATUS_ERROR);
 				}
 			}
 
 			if(scep_conf->engine->javapath) {
 				if(!ENGINE_ctrl(e, 5, 0, scep_conf->engine->javapath, 0)) {
 					fprintf(stderr, "%s: Could not set %s\n", pname, SCEP_CONFIGURATION_ENGINE_JKSENGINE_JAVAPATH);
-					sscep_engine_report_error();
+					ERR_print_errors_fp(stderr);
 					exit (SCEP_PKISTATUS_ERROR);
 				}
 			}
@@ -103,7 +103,7 @@ ENGINE *scep_engine_init() {
 			if(scep_conf->engine->pin) {
 				if(!ENGINE_ctrl(e, (ENGINE_CMD_BASE + 2), 0, scep_conf->engine->pin, NULL)) {
 					fprintf(stderr, "%s: Could not define PIN\n", pname);
-					sscep_engine_report_error();
+					ERR_print_errors_fp(stderr);
 					exit (SCEP_PKISTATUS_ERROR);
 				}
 			}
@@ -121,7 +121,7 @@ ENGINE *scep_engine_load_dynamic() {
 	//if we can't even load the dynamic engine, something is seriously wrong. We can't go on from here!
 	if(e == NULL) {
 		fprintf(stderr, "%s: Engine dynamic could not be loaded, Error message\n", pname);
-		sscep_engine_report_error();
+		ERR_print_errors_fp(stderr);
 		exit (SCEP_PKISTATUS_ERROR);
 	} else if(v_flag)
 		printf("%s: Engine dynamic was loaded\n", pname);
@@ -130,7 +130,7 @@ ENGINE *scep_engine_load_dynamic() {
 	if(scep_conf && scep_conf->engine->dynamic_path) {
 		if(ENGINE_ctrl_cmd_string(e, "SO_PATH", scep_conf->engine->dynamic_path, 0) == 0) {
 			fprintf(stderr, "%s: Loading %s did not succeed\n", pname, g_char);
-			sscep_engine_report_error();
+			ERR_print_errors_fp(stderr);
 			exit (SCEP_PKISTATUS_ERROR);
 		} else if (v_flag)
 			printf("%s: %s was found.\n", pname, g_char);
@@ -139,7 +139,7 @@ ENGINE *scep_engine_load_dynamic() {
 	//engine will be added to the list of available engines. Should be done for complete import.
 	if(ENGINE_ctrl_cmd_string(e, "LIST_ADD", "1", 0) == 0) {
 		fprintf(stderr, "%s: Executing LIST_ADD did not succeed:\n", pname);
-		sscep_engine_report_error();
+		ERR_print_errors_fp(stderr);
 		exit (SCEP_PKISTATUS_ERROR);
 	} else if(v_flag)
 		printf("%s: Added %s to list of engines.\n", pname, g_char);
@@ -151,7 +151,7 @@ ENGINE *scep_engine_load_dynamic() {
 	//Finally we load the engine.
 	if(ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0) == 0) {
 		fprintf(stderr, "%s: Executing LOAD did not succeed:\n", pname);
-		sscep_engine_report_error();
+		ERR_print_errors_fp(stderr);
 		exit (SCEP_PKISTATUS_ERROR);
 	} else if(v_flag)
 		printf("%s: Loading engine %s succeeded\n", pname, g_char);
@@ -163,7 +163,7 @@ ENGINE *scep_engine_load_dynamic() {
                  NAME_VALUE_PAIR *cmd = scep_conf->engine->cmds[i];
                  if(ENGINE_ctrl_cmd_string(e, cmd->name, cmd->value, 0) == 0) {
                          fprintf(stderr, "%s: Executing %s=%s failed\n", pname, cmd->name, cmd->value);
-                         sscep_engine_report_error();
+			ERR_print_errors_fp(stderr);
                          exit (SCEP_PKISTATUS_ERROR);
                  } else if(v_flag) {
                          fprintf(stderr, "%s: Engine command %s=%s succeeded\n", pname, cmd->name, cmd->value);
@@ -192,7 +192,7 @@ void sscep_engine_read_key(EVP_PKEY **key, char *id, ENGINE *e) {
 
 	if(*key == 0) {
 		printf("Could not load private key!\n");
-		sscep_engine_report_error();
+		ERR_print_errors_fp(stderr);
 		exit(SCEP_PKISTATUS_FILE);
 	}
 }
@@ -225,22 +225,16 @@ void sscep_engine_read_key_capi(EVP_PKEY **key, char *id, ENGINE *e, char *store
 
 	if(!ENGINE_ctrl(e, CAPI_CMD_STORE_FLAGS, scep_conf->engine->storelocation, NULL, NULL)) {
 		fprintf(stderr, "%s: Executing CAPI_CMD_STORE_FLAGS did not succeed\n", pname);
-		sscep_engine_report_error();
+		ERR_print_errors_fp(stderr);
 		exit(SCEP_PKISTATUS_ERROR);
 	} else {
 		printf("%s: Set storelocation to %i\n", pname, scep_conf->engine->storelocation);
 	}
 
 	if(!ENGINE_ctrl(e, CAPI_CMD_STORE_NAME, 0, (void*)storename, NULL)) {
 		fprintf(stderr, "%s: Executing CAPI_CMD_STORE_NAME did not succeed\n", pname);
-		sscep_engine_report_error();
+		ERR_print_errors_fp(stderr);
 		exit(SCEP_PKISTATUS_ERROR);
 	}
 	sscep_engine_read_key(key, id, e);
 }
-
-void sscep_engine_report_error() {
-	ERR_load_crypto_strings();
-	ERR_print_errors_fp(stderr);
-	ERR_free_strings();
-}
diff --git a/src/fileutils_capi.c b/src/fileutils_capi.c
@@ -8,9 +8,7 @@ void capi_read_key_Engine(EVP_PKEY** key, char* id, ENGINE *e, char* storename);
 
 void capi_read_key_Engine(EVP_PKEY** key, char* id, ENGINE *e, char* storename) {
 	if(!ENGINE_ctrl(e, CAPI_CMD_STORE_NAME, 0, (void*)storename, NULL)) {
-		ERR_load_CRYPTO_strings();
 		fprintf(stderr, "Executing CAPI_CMD_STORE_NAME did not succeed: %s\n", ERR_error_string(ERR_peek_last_error(), NULL));
-		ERR_free_strings();
 		exit(SCEP_PKISTATUS_ERROR);
 	}
 	//loading the key