Merge pull request #79 from openca/78-port-libpki-to-openssl-3x

78 port libpki to openssl 3x
openca · Aug 17, 2023 · 540f611 · 540f611
2 parents 020cc96 + 6c3e3fd
commit 540f611
Show file tree

Hide file tree

Showing 23 changed files with 492 additions and 322 deletions.
diff --git a/acinclude.m4 b/acinclude.m4
@@ -115,13 +115,20 @@ if [[ "$library_setup" = "no" ]] ; then
 
 
 		AC_MSG_RESULT([Searching OpenSSL Version: $library_includes]);
-		ver=`grep "^ *# *define  *OPENSSL_VERSION_NUMBER" "$library_includes" | sed 's/.*0x/0x/g' | sed 's|\L||g'`;
+
+		# Try the OpenSSL 0.9 ... 1.1.1+ format first
+		ver=`grep "^ *# *define  *OPENSSL_VERSION_NUMBER" "$library_includes" | sed 's/.*0x/0x/g' | sed 's|.*\\||g' | sed 's|\L||g'`;
 		if [[ "x$ver" == "x" ]] ; then
-		   pver=`grep "^ *# *define OPENSSL_VERSION_PRE_RELEASE" "$library_includes" | sed 's|.* "|"|g' | sed 's|""|fL|g' | sed 's|".*"|0L|g'`
-		   bver=`grep "^ *# *define OPENSSL_VERSION_STR" "$library_includes"  | sed 's|.* "||g' | sed 's|".*||g' | sed 's|\.| |g' | xargs printf "0x%1x%02X%02X" `
-		   ver="$bver$pver"
+			# checks the OpenSSL 3+ format second
+			ossl_major=`grep "define OPENSSL_VERSION_MAJOR" "$library_includes" | sed 's|.*OPENSSL_VERSION_MAJOR[ ]*||g'`
+			ossl_minor=`grep "define OPENSSL_VERSION_MINOR" "$library_includes" | sed 's|.*OPENSSL_VERSION_MINOR[ ]*||g'`
+			ossl_patch=`grep "define OPENSSL_VERSION_PATCH" "$library_includes" | sed 's|.*OPENSSL_VERSION_PATCH[ ]*||g'`
+			ver=`printf "0x%d%2.2d%2.2d00f" $ossl_major $ossl_minor $ossl_patch`
+			# pver=`grep "^ *# *define OPENSSL_VERSION_PRE_RELEASE" "$library_includes" | sed 's|.* "|"|g' | sed 's|""|fL|g' | sed 's|".*"|0L|g'`
+			# bver=`grep "^ *# *define OPENSSL_VERSION_STR" "$library_includes"  | sed 's|.* "||g' | sed 's|".*||g' | sed 's|\.| |g' | xargs printf "0x%1x%02X%02X" `
+			# ver="$bver$pver"
 		fi
-                detected_v=`echo $((ver))`
+    	detected_v=`echo $((ver))`
 		required_v=`echo $(($_version))`
 
 		dnl ver=`grep "^ *# *define  *SHLIB_VERSION_NUMBER" $library_includes | sed 's/[#_a-zA-Z" ]//g' | sed 's|\.|0|g'`;
@@ -314,11 +321,13 @@ if [[ $ok = 0 ]] ; then
 	library_libs=
 	library_setup=no
 else
-	AC_MSG_RESULT([Library OPENSSL prefix... $library_prefix ])
-	AC_MSG_RESULT([Library OPENSSL is SHARED... $library_shared ])
-	AC_MSG_RESULT([Library OPENSSL C flags... $library_cflags ])
-	AC_MSG_RESULT([Library OPENSSL LD flags... $library_ldflags ])
-	AC_MSG_RESULT([Library OPENSSL LIBS flags ... $library_libs ])
+	AC_MSG_RESULT([ Library OPENSSL prefix... $library_prefix ])
+	AC_MSG_RESULT([ Library OPENSSL is SHARED... $library_shared ])
+	AC_MSG_RESULT([ Library OPENSSL C flags... $library_cflags ])
+	AC_MSG_RESULT([ Library OPENSSL LD flags... $library_ldflags ])
+	AC_MSG_RESULT([ Library OPENSSL LIBS flags ... $library_libs ])
+	AC_MSG_RESULT([ Library OPENSSL required version ... $_version ])
+	AC_MSG_RESULT([ Library OPENSSL detected version... $ver ])
 	library_setup=yes
 fi
 

diff --git a/configure b/configure
@@ -18033,13 +18033,20 @@ printf "%s\n" "OpenSSL Checking Path: ${library_includes} does not exists!" >&6;
 
 		{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Searching OpenSSL Version: $library_includes" >&5
 printf "%s\n" "Searching OpenSSL Version: $library_includes" >&6; };
-		ver=`grep "^ *# *define  *OPENSSL_VERSION_NUMBER" "$library_includes" | sed 's/.*0x/0x/g' | sed 's|\L||g'`;
+
+		# Try the OpenSSL 0.9 ... 1.1.1+ format first
+		ver=`grep "^ *# *define  *OPENSSL_VERSION_NUMBER" "$library_includes" | sed 's/.*0x/0x/g' | sed 's|.*\\||g' | sed 's|\L||g'`;
 		if [ "x$ver" == "x" ] ; then
-		   pver=`grep "^ *# *define OPENSSL_VERSION_PRE_RELEASE" "$library_includes" | sed 's|.* "|"|g' | sed 's|""|fL|g' | sed 's|".*"|0L|g'`
-		   bver=`grep "^ *# *define OPENSSL_VERSION_STR" "$library_includes"  | sed 's|.* "||g' | sed 's|".*||g' | sed 's|\.| |g' | xargs printf "0x%1x%02X%02X" `
-		   ver="$bver$pver"
+			# checks the OpenSSL 3+ format second
+			ossl_major=`grep "define OPENSSL_VERSION_MAJOR" "$library_includes" | sed 's|.*OPENSSL_VERSION_MAJOR *||g'`
+			ossl_minor=`grep "define OPENSSL_VERSION_MINOR" "$library_includes" | sed 's|.*OPENSSL_VERSION_MINOR *||g'`
+			ossl_patch=`grep "define OPENSSL_VERSION_PATCH" "$library_includes" | sed 's|.*OPENSSL_VERSION_PATCH *||g'`
+			ver=`printf "0x%d%2.2d%2.2d00f" $ossl_major $ossl_minor $ossl_patch`
+			# pver=`grep "^ *# *define OPENSSL_VERSION_PRE_RELEASE" "$library_includes" | sed 's|.* "|"|g' | sed 's|""|fL|g' | sed 's|".*"|0L|g'`
+			# bver=`grep "^ *# *define OPENSSL_VERSION_STR" "$library_includes"  | sed 's|.* "||g' | sed 's|".*||g' | sed 's|\.| |g' | xargs printf "0x%1x%02X%02X" `
+			# ver="$bver$pver"
 		fi
-                detected_v=`echo $((ver))`
+    	detected_v=`echo $((ver))`
 		required_v=`echo $(($_version))`
 
 
@@ -18165,16 +18172,20 @@ if [ $ok = 0 ] ; then
 	library_libs=
 	library_setup=no
 else
-	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Library OPENSSL prefix... $library_prefix " >&5
-printf "%s\n" "Library OPENSSL prefix... $library_prefix " >&6; }
-	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Library OPENSSL is SHARED... $library_shared " >&5
-printf "%s\n" "Library OPENSSL is SHARED... $library_shared " >&6; }
-	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Library OPENSSL C flags... $library_cflags " >&5
-printf "%s\n" "Library OPENSSL C flags... $library_cflags " >&6; }
-	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Library OPENSSL LD flags... $library_ldflags " >&5
-printf "%s\n" "Library OPENSSL LD flags... $library_ldflags " >&6; }
-	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Library OPENSSL LIBS flags ... $library_libs " >&5
-printf "%s\n" "Library OPENSSL LIBS flags ... $library_libs " >&6; }
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result:  Library OPENSSL prefix... $library_prefix " >&5
+printf "%s\n" " Library OPENSSL prefix... $library_prefix " >&6; }
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result:  Library OPENSSL is SHARED... $library_shared " >&5
+printf "%s\n" " Library OPENSSL is SHARED... $library_shared " >&6; }
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result:  Library OPENSSL C flags... $library_cflags " >&5
+printf "%s\n" " Library OPENSSL C flags... $library_cflags " >&6; }
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result:  Library OPENSSL LD flags... $library_ldflags " >&5
+printf "%s\n" " Library OPENSSL LD flags... $library_ldflags " >&6; }
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result:  Library OPENSSL LIBS flags ... $library_libs " >&5
+printf "%s\n" " Library OPENSSL LIBS flags ... $library_libs " >&6; }
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result:  Library OPENSSL required version ... $_version " >&5
+printf "%s\n" " Library OPENSSL required version ... $_version " >&6; }
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result:  Library OPENSSL detected version... $ver " >&5
+printf "%s\n" " Library OPENSSL detected version... $ver " >&6; }
 	library_setup=yes
 fi
 
@@ -18441,7 +18452,7 @@ oqs_prefix=/usr
 oqs_ldflags=
 oqs_ldadd=
 
-cli_oqs=
+cli_oqs=no
 
 # Check whether --enable-oqs was given.
 if test ${enable_oqs+y}
@@ -18453,9 +18464,9 @@ else $as_nop
 fi
 
 
-if ! [ "x$cli_oqs" = "xno" ] ; then
-	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Open Quantum Safe: Enabled via CLI option" >&5
-printf "%s\n" "Open Quantum Safe: Enabled via CLI option" >&6; }
+if [ "x$cli_oqs" = "xyes" ] ; then
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result:  Open Quantum Safe: Enabled via CLI option ($cli_oqs) " >&5
+printf "%s\n" " Open Quantum Safe: Enabled via CLI option ($cli_oqs) " >&6; }
 
 printf "%s\n" "#define ENABLE_OQS 1" >>confdefs.h
 

diff --git a/configure.ac b/configure.ac
@@ -1504,17 +1504,17 @@ oqs_ldflags=
 oqs_ldadd=
 
 dnl Enable OQS support
-cli_oqs=
+cli_oqs=no
 
 AC_ARG_ENABLE(oqs,
 	[  --enable-oqs          enable oqs support (no)],
 	[cli_oqs=$enableval], 
 	[cli_oqs=default]
  )
 
-if ! [[ "x$cli_oqs" = "xno" ]] ; then
-	AC_MSG_RESULT([Open Quantum Safe: Enabled via CLI option])
-	AC_DEFINE(ENABLE_OQS, 1, [Open Quantum Safe Support])
+if [[ "x$cli_oqs" = "xyes" ]] ; then
+	AC_MSG_RESULT([ Open Quantum Safe: Enabled via CLI option ($cli_oqs) ])
+	AC_DEFINE(ENABLE_OQS, 1, [ Open Quantum Safe Support ])
 	oqs_check="yes"
 	oqs_cflags="-DENABLE_OQS=1"
 	oqs_ldadd="-loqs"

diff --git a/src/drivers/openssl/openssl_hsm_pkey.c b/src/drivers/openssl/openssl_hsm_pkey.c
@@ -875,7 +875,9 @@ PKI_X509_KEYPAIR *HSM_OPENSSL_X509_KEYPAIR_new(PKI_KEYPARAMS * kp,
     // Memory Cleanup
     if (value) EVP_PKEY_free(value);
     if (ret) PKI_X509_KEYPAIR_free(ret);
+#ifdef ENABLE_OQS
     if (ctx) EVP_PKEY_CTX_free(ctx);
+#endif
 
     // Error
     return NULL;
@@ -897,9 +899,13 @@ void HSM_OPENSSL_X509_KEYPAIR_free ( PKI_X509_KEYPAIR *pkey ) {
 // we have to provide our own function until OpenSSL solve
 // this issue
 
-int OPENSSL_HSM_write_bio_PrivateKey (BIO *bp, EVP_PKEY *x, 
-        const EVP_CIPHER *enc, unsigned char *out_buffer, int klen, 
-        pem_password_cb *cb, void *u) {
+int OPENSSL_HSM_write_bio_PrivateKey (BIO               * bp, 
+                                      EVP_PKEY          * x, 
+                                      const EVP_CIPHER  * enc, 
+                                      unsigned char     * out_buffer,
+                                      int                 klen, 
+                                      pem_password_cb   * cb,
+                                      void              * u) {
 
     int ret = PKI_ERR;
 
@@ -914,7 +920,7 @@ int OPENSSL_HSM_write_bio_PrivateKey (BIO *bp, EVP_PKEY *x,
         case EVP_PKEY_EC: {
 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
             ret = PEM_write_bio_ECPrivateKey(bp, 
-                EVP_PKEY_get1_EC_KEY(x), enc, (unsigned char *) kstr, klen, cb, u);
+                EVP_PKEY_get1_EC_KEY(x), enc, (unsigned char *) out_buffer, klen, cb, u);
 # elif OPENSSL_VERSION_NUMBER < 0x1010000fL
             ret = PEM_write_bio_ECPrivateKey(bp, 
                 x->pkey.ec, enc, (unsigned char *) out_buffer, klen, cb, u);

diff --git a/src/libpki/datatypes.h b/src/libpki/datatypes.h
@@ -9,6 +9,9 @@
 #ifndef _LIBPKI_PKI_DATATYPES_H
 #define _LIBPKI_PKI_DATATYPES_H	
 
+// Include the library configuration
+#include <libpki/config.h>
+
 #ifndef _LIBPKI_COMPAT_H
 # include <libpki/compat.h>
 #endif

diff --git a/src/libpki/openssl/pki_oid_defs.h b/src/libpki/openssl/pki_oid_defs.h
@@ -6,13 +6,18 @@
 * Released under OpenCA LICENSE
 */
 
-#ifndef OQS_H
-#include <oqs/oqs.h>
-#endif
-
 #ifndef _LIBPKI_OID_DEFS_H
 #define _LIBPKI_OID_DEFS_H
 
+// Include the library configuration
+#include <libpki/config.h>
+
+#ifdef ENABLE_OQS
+# ifndef OQS_H
+#  include <oqs/oqs.h>
+# endif
+#endif
+
 // GENERAL
 # define LEVEL_OF_ASSURANCE_OID   		    "1.3.6.1.4.1.18227.50.1"
 # define LEVEL_OF_ASSURANCE_NAME            "levelOfAssurance"

diff --git a/src/libpki/openssl/pqc/pqc_defs.h b/src/libpki/openssl/pqc/pqc_defs.h
@@ -6,13 +6,18 @@
 * Released under OpenCA LICENSE
 */
 
-#ifndef OQS_H
-#include <oqs/oqs.h>
-#endif
-
 #ifndef _LIBPKI_PQC_DEFS_H
 #define _LIBPKI_PQC_DEFS_H
 
+// Include the library configuration
+#include <libpki/config.h>
+
+#ifdef ENABLE_OQS
+# ifndef OQS_H
+#  include <oqs/oqs.h>
+# endif
+#endif
+
 // ===============
 // OQS definitions
 // ===============

diff --git a/src/openssl/composite/composite_ctx.c b/src/openssl/composite/composite_ctx.c
@@ -312,7 +312,7 @@ int COMPOSITE_CTX_explicit_algors_new0(COMPOSITE_CTX              * ctx,
                                        const COMPOSITE_KEY_STACK  * const components,
                                        X509_ALGORS               ** algors) {
 
-  int sk_num = 0;
+  int stack_elements_num = 0;
     // Number of elements in the stack
 
   X509_ALGORS * sk = NULL;
@@ -343,8 +343,8 @@ int COMPOSITE_CTX_explicit_algors_new0(COMPOSITE_CTX              * ctx,
   }
 
   // Gets the number of components
-  if ((sk_num = COMPOSITE_KEY_STACK_num(components)) < 2) {
-    PKI_DEBUG("Insufficient number of components in the key stack (%d)", sk_num);
+  if ((stack_elements_num = COMPOSITE_KEY_STACK_num(components)) < 2) {
+    PKI_DEBUG("Insufficient number of components in the key stack (%d)", stack_elements_num);
     return PKI_ERR;
   }
 
@@ -545,8 +545,8 @@ int COMPOSITE_CTX_explicit_algors_new0(COMPOSITE_CTX              * ctx,
     } break;
 
     case PKI_SCHEME_COMPOSITE_EXPLICIT_DILITHIUM5_FALCON1024_P521: {
-      if (sk_num != 3) {
-        PKI_DEBUG("Insufficient number of components in the key stack (%d)", sk_num);
+      if (stack_elements_num != 3) {
+        PKI_DEBUG("Insufficient number of components in the key stack (%d)", stack_elements_num);
         return PKI_ERR;
       }
       // Dilithium5 component
@@ -568,8 +568,8 @@ int COMPOSITE_CTX_explicit_algors_new0(COMPOSITE_CTX              * ctx,
     } break;
 
     case PKI_SCHEME_COMPOSITE_EXPLICIT_DILITHIUM5_FALCON1024_RSA: {
-      if (sk_num != 3) {
-        PKI_DEBUG("Insufficient number of components in the key stack (%d)", sk_num);
+      if (stack_elements_num != 3) {
+        PKI_DEBUG("Insufficient number of components in the key stack (%d)", stack_elements_num);
         return PKI_ERR;
       }
       // Dilithium5 component
@@ -596,8 +596,11 @@ int COMPOSITE_CTX_explicit_algors_new0(COMPOSITE_CTX              * ctx,
       return PKI_ERR;
   }
 
+  int algor_num = sk_X509_ALGOR_num(sk);
+  int components_num = COMPOSITE_KEY_STACK_num(components);
+
   // Checks the number of components and algorithms to be the same
-  if (sk_X509_ALGOR_num(sk) != COMPOSITE_KEY_STACK_num(components)) {
+  if (algor_num != components_num) {
     PKI_DEBUG("Number of components (%d) and algorithms (%d) do not match",
               COMPOSITE_KEY_STACK_num(components), sk_X509_ALGOR_num(ctx->sig_algs));
     sk_X509_ALGOR_pop_free(sk, X509_ALGOR_free);