Merge branch 'develop' into 'master'

release 3.21.3087

See merge request developers/libksi!452

ABI_VERSION

@@ -1,4 +1,4 @@
-14:0:1
+14:1:1
 
 # Before making a release, the LTVER string should be modified. The
 # string is of the form c:r:a. Follow these instructions sequentially:

README.md

@@ -29,6 +29,9 @@ sudo curl -O https://download.guardtime.com/ksi/configuration/guardtime.el7.repo
 # In case of RHEL/CentOS 8
 sudo curl -O https://download.guardtime.com/ksi/configuration/guardtime.el8.repo
 
+# In case of RHEL/CentOS 9
+sudo curl -O https://download.guardtime.com/ksi/configuration/guardtime.el9.repo
+
 sudo yum install libksi
 
 
@@ -37,11 +40,8 @@ sudo yum install libksi
 # Add Guardtime pgp key.
 sudo curl https://download.guardtime.com/ksi/GUARDTIME-GPG-KEY | sudo apt-key add -
 
-# In case of Ubuntu 16 (Xenial)
-sudo curl -o /etc/apt/sources.list.d/guardtime.list https://download.guardtime.com/ksi/configuration/guardtime.xenial.list
-
-# In case of Debian 9 (Stretch)
-sudo curl -o /etc/apt/sources.list.d/guardtime.list https://download.guardtime.com/ksi/configuration/guardtime.stretch.list
+# In case of Debian 12 (Bookworm)
+sudo curl -o /etc/apt/sources.list.d/guardtime.list https://download.guardtime.com/ksi/configuration/guardtime.bookworm.list
 
 sudo apt update
 apt-get install libksi
@@ -216,9 +216,10 @@ See `license.txt` file.
 
 ## Compatibility ##
 
-| OS/Platform                              | Compatibility                                |
-| :---                                       | :---                                         |
-| CentOS/RHEL 7 and 8 x86_64 architecture | Fully compatible and tested.                  |
-| Debian, ...                                | Compatible but not tested on a regular basis. |
-| macOS                                       | Compatible but not tested on a regular basis. |
-| Windows 7, 8, 10                           | Compatible but not tested on a regular basis. |
+| OS/Platform                              | Compatibility                                 |
+| :---                                     | :---                                          |
+| CentOS/RHEL 7,8,9 x86_64 architecture    | Fully compatible and tested.                  |
+| Debian 12+                               | Fully compatible and tested.                  |
+| Ubuntu                                   | Compatible but not tested on a regular basis. |
+| macOS                                    | Compatible but not tested on a regular basis. |
+| Windows 7, 8, 10, 11                     | Compatible but not tested on a regular basis. |

VERSION

@@ -1 +1 @@
-3.21.3075
+3.21.3087

changelog

@@ -1,5 +1,11 @@
 Version 3.21
 
+2024-05-17 release(3.21.3087)
+
+* IMPROVEMENT: OpenSSL 3 is supported for packaging.
+* IMPROVEMENT: Functions deprecated in OpenSSL 3 replaced with new ones.
+* IMPROVEMENT: Build warnings reduced.
+
 2022-01-06 release(3.21.3075)
 
 * FEATURE: Added SM-3 and SHA-3 family hash functions for OpenSSL (disabled by default).

packaging/deb/control.in

@@ -10,7 +10,7 @@ Architecture: any
 Section: devel
 Priority: optional
 # Note that the libcurl4-gnutls-dev depends on libcurl3-gnutls!
-Depends: libcurl3-gnutls | libcurl3, libssl1.0.2 | libssl1.0.0 | libssl0.9.8
+Depends: libcurl3-gnutls | libcurl3, libssl1.0.2 | libssl1.0.0 | libssl0.9.8 | libssl3 (>= 3.0.0)
 Description: KSI C API.
 
 Package: @PACKAGE@-dev

src/ksi/GNUmakefile.am

@@ -79,6 +79,7 @@ libksi_la_SOURCES = \
 	impl/net_file_impl.h \
 	net_uri.c \
 	net_uri.h \
+	openssl_compatibility.c \
 	openssl_compatibility.h \
 	impl/net_uri_impl.h \
 	pkitruststore.c \

src/ksi/hash_openssl.c

@@ -33,9 +33,11 @@ static const EVP_MD *hashAlgorithmToEVP(KSI_HashAlgorithm hash_id) {
 		case KSI_HASHALG_SHA1:
 			return EVP_sha1();
 #endif
+#ifndef OPENSSL_NO_RMD160
 #ifndef OPENSSL_NO_RIPEMD
 		case KSI_HASHALG_RIPEMD160:
 			return EVP_ripemd160();
+#endif
 #endif
 		case KSI_HASHALG_SHA2_256:
 			return EVP_sha256();
@@ -250,7 +252,7 @@ struct KSI_HmacHasher_st {
 	KSI_CTX *ctx;
 
 	/** OpenSSL HMAC context. */
-	HMAC_CTX *openssl_ctx;
+	void* openssl_ctx;
 
 	/** Hash algorithm id for reset. */
 	KSI_HashAlgorithm hash_id;
@@ -329,7 +331,7 @@ int KSI_HmacHasher_open(KSI_CTX *ctx, KSI_HashAlgorithm algo_id, const char *key
 	tmp_hasher->openssl_ctx = NULL;
 	tmp_hasher->key = NULL;
 
-	tmp_hasher->openssl_ctx = HMAC_CTX_new();
+	tmp_hasher->openssl_ctx = KSI_openssl.mac_ctx_new();
 	if (tmp_hasher->openssl_ctx == NULL) {
 		KSI_pushError(ctx, res = KSI_OUT_OF_MEMORY, "Unable to create HMAC context.");
 		goto cleanup;
@@ -373,16 +375,11 @@ int KSI_HmacHasher_reset(KSI_HmacHasher *hasher) {
 	}
 	KSI_ERR_clearErrors(hasher->ctx);
 
-	if (!HMAC_CTX_reset(hasher->openssl_ctx)) {
+	if (!KSI_openssl.mac_ctx_reset(hasher->openssl_ctx, (const unsigned char*)hasher->key, strlen(hasher->key), hashAlgorithmToEVP(hasher->hash_id))) {
 		KSI_pushError(hasher->ctx, res = KSI_UNKNOWN_ERROR, "Unable to reset OpenSSL HMAC");
 		goto cleanup;
 	}
 
-	if(!HMAC_Init_ex(hasher->openssl_ctx, hasher->key, strlen(hasher->key), hashAlgorithmToEVP(hasher->hash_id), NULL)) {
-		KSI_pushError(hasher->ctx, res = KSI_UNKNOWN_ERROR, "Unable to init OpenSSL HMAC");
-		goto cleanup;
-	}
-
 	res = KSI_OK;
 
 cleanup:
@@ -399,7 +396,8 @@ int KSI_HmacHasher_add(KSI_HmacHasher *hasher, const void *data, size_t data_len
 	}
 	KSI_ERR_clearErrors(hasher->ctx);
 
-	if (!HMAC_Update(hasher->openssl_ctx, data, data_length)) {
+
+	if (!KSI_openssl.mac_ctx_update(hasher->openssl_ctx, data, data_length)) {
 		KSI_pushError(hasher->ctx, res = KSI_UNKNOWN_ERROR, "Unable to update OpenSSL HMAC");
 		goto cleanup;
 	}
@@ -416,16 +414,15 @@ int KSI_HmacHasher_close(KSI_HmacHasher *hasher, KSI_DataHash **hmac) {
 	KSI_DataHash *tmp = NULL;
 
 	unsigned char digest[64];
-	unsigned int digest_len = 0;
+	size_t digest_len = 0;
 
 	if (hasher == NULL || hmac == NULL) {
 		res = KSI_INVALID_ARGUMENT;
 		goto cleanup;
 	}
 	KSI_ERR_clearErrors(hasher->ctx);
 
-
-	if (!HMAC_Final(hasher->openssl_ctx, digest, &digest_len)) {
+	if (!KSI_openssl.mac_ctx_final(hasher->openssl_ctx, digest, sizeof(digest), &digest_len)) {
 		KSI_pushError(hasher->ctx, res = KSI_UNKNOWN_ERROR, "Unable to finalize OpenSSL HMAC");
 		goto cleanup;
 	}
@@ -450,7 +447,7 @@ int KSI_HmacHasher_close(KSI_HmacHasher *hasher, KSI_DataHash **hmac) {
 
 void KSI_HmacHasher_free(KSI_HmacHasher *hasher) {
 	if (hasher != NULL) {
-		if (hasher->openssl_ctx != NULL) HMAC_CTX_free(hasher->openssl_ctx);
+		if (hasher->openssl_ctx != NULL) KSI_openssl.mac_ctx_free(hasher->openssl_ctx);
 		if (hasher->key != NULL) KSI_free(hasher->key);
 		KSI_free(hasher);
 	}

src/ksi/makefile

@@ -161,6 +161,7 @@ EXT_LIB = wsock32.lib wldap32.lib winmm.lib user32.lib gdi32.lib
 
 !IF "$(HASH_PROVIDER)" == "OPENSSL" || "$(TRUST_PROVIDER)" == "OPENSSL"
 CCFLAGS = $(CCFLAGS) /I"$(OPENSSL_DIR)\include"
+LIB_OBJ = $(LIB_OBJ) $(OBJ_DIR)\openssl_compatibility.obj
 !IF "$(DLL)" == "dll"
 LDFLAGS = $(LDFLAGS) /LIBPATH:"$(OPENSSL_DIR)\$(DLL)"
 EXT_LIB = $(EXT_LIB) libeay32$(RTL).lib advapi32.lib

src/ksi/net_async.c

@@ -694,7 +694,7 @@ static int addRequest(KSI_AsyncClient *c, KSI_AsyncHandle *handle, void *req,
 	KSI_Header *hdr = NULL;
 	KSI_AsyncHandle *confHandle = NULL;
 	void *tmpReq = NULL;
-	KSI_HashAlgorithm clientHmacAlg = KSI_HASHALG_INVALID;
+	KSI_HashAlgorithm clientHmacAlg = KSI_HASHALG_INVALID_VALUE;
 	KSI_DataHash *hmac = NULL;
 
 	if (c == NULL || handle == NULL || req == NULL) {
@@ -760,7 +760,7 @@ static int addRequest(KSI_AsyncClient *c, KSI_AsyncHandle *handle, void *req,
 	hdr = NULL;
 	/* Update HMAC if a different algorithm is configured. */
 	clientHmacAlg = (KSI_HashAlgorithm)c->options[KSI_ASYNC_OPT_HMAC_ALGORITHM];
-	if (clientHmacAlg != KSI_HASHALG_INVALID && clientHmacAlg != defaultHmacAlg) {
+	if (clientHmacAlg != KSI_HASHALG_INVALID_VALUE && clientHmacAlg != defaultHmacAlg) {
 		res = pdu_getHmac(pdu, &hmac);
 		if (res != KSI_OK) goto cleanup;
 		KSI_DataHash_free(hmac);
@@ -1296,7 +1296,7 @@ static int processResponseQueue(KSI_AsyncClient *c,
 			}
 
 			res = KSI_Pdu_verifyHmac(c->ctx, hmac, pass,
-					(clientHmacAlg != KSI_HASHALG_INVALID ? clientHmacAlg : defaultHmacAlg),
+					(clientHmacAlg != KSI_HASHALG_INVALID_VALUE ? clientHmacAlg : defaultHmacAlg),
 					pdu_calculateHmac, pdu);
 			if (res != KSI_OK) {
 				KSI_pushError(c->ctx, res, NULL);
@@ -1691,7 +1691,7 @@ static int asyncClient_setDefaultOptions(KSI_AsyncClient *c) {
 	if ((res = asyncClient_setOption(c, KSI_ASYNC_OPT_PUSH_CONF_CALLBACK, (void *)NULL)) != KSI_OK) goto cleanup;
 	if ((res = asyncClient_setOption(c, KSI_ASYNC_OPT_CONNECTION_STATE_CALLBACK, (void *)NULL)) != KSI_OK) goto cleanup;
 	if ((res = asyncClient_setOption(c, KSI_ASYNC_OPT_CALLBACK_USERDATA, (void *)NULL)) != KSI_OK) goto cleanup;
-	if ((res = asyncClient_setOption(c, KSI_ASYNC_OPT_HMAC_ALGORITHM, (void *)KSI_HASHALG_INVALID)) != KSI_OK) goto cleanup;
+	if ((res = asyncClient_setOption(c, KSI_ASYNC_OPT_HMAC_ALGORITHM, (void *)KSI_HASHALG_INVALID_VALUE)) != KSI_OK) goto cleanup;
 	/* Private options. */
 	if ((res = asyncClient_setOption(c, KSI_ASYNC_PRIVOPT_ROUND_DURATION, (void *)KSI_ASYNC_ROUND_DURATION_SEC)) != KSI_OK) goto cleanup;
 	if ((res = asyncClient_setOption(c, KSI_ASYNC_PRIVOPT_INVOKE_CONF_RECEIVED_CALLBACK, (void *)true)) != KSI_OK) goto cleanup;

src/ksi/openssl_compatibility.c

@@ -0,0 +1,152 @@
+/*
+ * Copyright 2013-2024 Guardtime, Inc.
+ *
+ * This file is part of the Guardtime client SDK.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES, CONDITIONS, OR OTHER LICENSES OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ * "Guardtime" and "KSI" are trademarks or registered trademarks of
+ * Guardtime, Inc., and no license to trademarks is granted; Guardtime
+ * reserves and retains all trademark rights.
+ */
+
+
+#include "openssl_compatibility.h"
+#include "internal.h"
+#include "hash.h"
+#include "tlv_template.h"
+#include <string.h>
+#include <stddef.h>
+
+
+#if (KSI_PKI_TRUSTSTORE_IMPL == KSI_IMPL_OPENSSL) || (KSI_HASH_IMPL == KSI_IMPL_OPENSSL)
+
+#	include <openssl/evp.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#	include <openssl/provider.h>
+#	include <openssl/core_names.h>
+#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
+#	include <openssl/hmac.h>
+#endif
+
+
+
+
+//     0x1    01   0000        0
+// [32:28][27:20][19 :4][3  :  0]
+// [major][minor][patch][release]
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	static OSSL_PROVIDER *_legacy = NULL;
+	static OSSL_PROVIDER *_default = NULL;
+	static EVP_MAC *mac_impl = NULL;
+#endif
+
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	void static openssl_setup(void) {
+		OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+		_default = OSSL_PROVIDER_load(NULL, "default"); // To support ripemd160.
+		_legacy = OSSL_PROVIDER_load(NULL, "legacy"); // To support ripemd160.
+		mac_impl = EVP_MAC_fetch(NULL, "HMAC", NULL);
+	}
+
+	void static openssl_cleanup(void) {
+		EVP_MAC_free(mac_impl);
+		OSSL_PROVIDER_unload(_legacy);
+		OSSL_PROVIDER_unload(_default);
+		OPENSSL_cleanup();
+	}
+
+	static void* openssl_mac_ctx_new(void) {
+		return EVP_MAC_CTX_new(mac_impl);
+	}
+
+	static void openssl_mac_ctx_free(void *ctx) {
+		EVP_MAC_CTX_free(ctx);
+	}
+
+	static int openssl_mac_ctx_reset(void *ctx, const unsigned char *key, size_t key_len, const EVP_MD *md) {
+		const char *digest = NULL;
+		OSSL_PARAM params[2];
+		digest = EVP_MD_name(md);
+		params[0] = OSSL_PARAM_construct_utf8_string("digest", (char*)digest, 0);
+		params[1] = OSSL_PARAM_construct_end();
+		return EVP_MAC_init(ctx, key, key_len, params);
+	}
+
+	static int openssl_mac_ctx_update(void *ctx, const unsigned char *data, size_t data_len) {
+		return EVP_MAC_update(ctx, data, data_len);
+	}
+
+	static int openssl_mac_ctx_final(void *ctx, unsigned char *out, size_t out_size, size_t *out_len) {
+		return EVP_MAC_final(ctx, out, out_len, out_size);
+	}
+#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
+	void static openssl_setup(void) {
+		OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+	}
+
+	void static openssl_cleanup(void) {
+		OPENSSL_cleanup();
+	}
+
+	static void* openssl_mac_ctx_new(void) {
+		return HMAC_CTX_new();
+	}
+
+	static void openssl_mac_ctx_free(void *ctx) {
+		HMAC_CTX_free(ctx);
+	}
+
+	static int openssl_mac_ctx_reset(void *ctx, const unsigned char *key, size_t key_len, const EVP_MD*md) {
+		if (!HMAC_CTX_reset(ctx)) return 0;
+		if (!HMAC_Init_ex(ctx, key, (int)key_len, md, NULL)) return 0;
+		return 1;
+	}
+
+	static int openssl_mac_ctx_update(void *ctx, const unsigned char *data, size_t data_len) {
+		return HMAC_Update(ctx, data, data_len);
+	}
+
+	static int openssl_mac_ctx_final(void *ctx, unsigned char *out, size_t out_size, size_t *out_len) {
+		int ret = 0;
+		unsigned int tmp_len = 0;
+
+		ret = HMAC_Final(ctx, out, &tmp_len);
+		if(!ret) return ret;
+		*out_len = tmp_len;
+		return 1;
+	}
+#else
+	void static openssl_setup(void) {
+		OpenSSL_add_all_digests();
+	}
+
+	void static openssl_cleanup(void) {
+		EVP_cleanup();
+	}
+#endif
+
+struct openssl_compatibility_functions_st KSI_openssl = {
+	openssl_setup,
+	openssl_cleanup,
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	openssl_mac_ctx_new,
+	openssl_mac_ctx_free,
+	openssl_mac_ctx_reset,
+	openssl_mac_ctx_update,
+	openssl_mac_ctx_final,
+#endif
+};
+
+
+
+#endif

src/ksi/openssl_compatibility.h

@@ -21,10 +21,30 @@
 #ifndef OPENSSL_COMPATIBILITY_H_
 #define OPENSSL_COMPATIBILITY_H_
 
+#include <openssl/opensslv.h>
+#include <openssl/evp.h>
+#include <stddef.h>
+
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+
+	struct openssl_compatibility_functions_st {
+		void (*openssl_setup)(void);
+		void (*openssl_cleanup)(void);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		void* (*mac_ctx_new)(void);
+		void (*mac_ctx_free)(void *ctx);
+		int (*mac_ctx_reset)(void *ctx, const unsigned char *key, size_t key_len, const EVP_MD *md);
+		int (*mac_ctx_update)(void *ctx, const unsigned char *data, size_t data_len);
+		int (*mac_ctx_final)(void *ctx, unsigned char *out, size_t out_size, size_t *out_len);
+#endif
+	};
+
+	extern struct openssl_compatibility_functions_st KSI_openssl;
+
 	/**
 	 * These macros are needed to support both OpenSSL 1.0 and 1.1.
 	 *