Add OpenSSL 4.x support and switch to provider-only mode

configure.ac

@@ -36,6 +36,9 @@ opensslversion="$( \
     $PKG_CONFIG --modversion openssl ) | \
     sed 's/^\([0-9.]*\).*/\1/' )"
 case "$opensslversion" in
+	4.*) # Provider for OpenSSL 4.x
+	    LIBP11_LT_OLDEST="4"
+	    LIBP11_OSSL_PROVIDER="yes";;
 	3.*) # Engines directory prefix for OpenSSL 3.x
 	    LIBP11_LT_OLDEST="3"
 	    LIBP11_OSSL_PROVIDER="yes"

examples/ed25519keygen.c

@@ -27,7 +27,9 @@
  * SUCH DAMAGE.
  */
 
-#if !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if !defined(OPENSSL_NO_EC) && \
+    (OPENSSL_VERSION_NUMBER >= 0x30000000L) && \
+    (OPENSSL_VERSION_NUMBER < 0x40000000L)
 
 #include <libp11.h>
 #include <string.h>
@@ -176,13 +178,16 @@ int main(int argc, char *argv[])
 	return rc;
 }
 
-#else /* !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER >= 0x30000000L */
+#else /* !OPENSSL_NO_EC && OpenSSL 3.x */
+
+#include <stdio.h>
 
 int main(void)
 {
-	return 0;
+	fprintf(stderr, "Skipped: requires OpenSSL 3.x built with EC support\n");
+	return 77;
 }
 
-#endif /* !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER >= 0x30000000L */
+#endif /* !OPENSSL_NO_EC && OpenSSL 3.x */
 
 /* vim: set noexpandtab: */

examples/ed448keygen.c

@@ -27,7 +27,9 @@
  * SUCH DAMAGE.
  */
 
-#if !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if !defined(OPENSSL_NO_EC) && \
+    (OPENSSL_VERSION_NUMBER >= 0x30000000L) && \
+    (OPENSSL_VERSION_NUMBER < 0x40000000L)
 
 #include <libp11.h>
 #include <string.h>
@@ -176,13 +178,16 @@ int main(int argc, char *argv[])
 	return rc;
 }
 
-#else /* !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER >= 0x30000000L */
+#else /* !OPENSSL_NO_EC && OpenSSL 3.x */
+
+#include <stdio.h>
 
 int main(void)
 {
-	return 0;
+	fprintf(stderr, "Skipped: requires OpenSSL 3.x built with EC support\n");
+	return 77;
 }
 
-#endif /* !defined(OPENSSL_NO_EC) && OPENSSL_VERSION_NUMBER >= 0x30000000L */
+#endif /* !OPENSSL_NO_EC && OpenSSL 3.x */
 
 /* vim: set noexpandtab: */

src/eng_back.c

@@ -31,6 +31,8 @@
 #include <stdio.h>
 #include <string.h>
 
+#ifndef OPENSSL_NO_ENGINE
+
 struct engine_ctx_st {
 	/* UI */
 	int ui_method_provided;
@@ -298,4 +300,6 @@ int ENGINE_CTX_ctrl(ENGINE_CTX *ctx, int cmd, long i, void *p, void (*f)(void))
 	return 0;
 }
 
+#endif /* OPENSSL_NO_ENGINE */
+
 /* vim: set noexpandtab: */

src/eng_front.c

@@ -21,6 +21,9 @@
 #include <openssl/crypto.h>
 #include <openssl/objects.h>
 #include <openssl/engine.h>
+
+#ifndef OPENSSL_NO_ENGINE
+
 #ifndef ENGINE_CMD_BASE
 #error did not get engine.h
 #endif
@@ -297,4 +300,6 @@ static int bind_fn(ENGINE *e, const char *id)
 IMPLEMENT_DYNAMIC_CHECK_FN()
 IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
 
+#endif /* OPENSSL_NO_ENGINE */
+
 /* vim: set noexpandtab: */

src/engine.h

@@ -25,6 +25,8 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#ifndef OPENSSL_NO_ENGINE
+
 #ifndef _ENGINE_PKCS11_H
 #define _ENGINE_PKCS11_H
 
@@ -98,4 +100,6 @@ void ENGINE_CTX_log(ENGINE_CTX *ctx, int level, const char *format, ...)
 
 #endif /* _ENGINE_PKCS11_H */
 
+#endif /* OPENSSL_NO_ENGINE */
+
 /* vim: set noexpandtab: */

src/p11_eddsa.c

@@ -36,10 +36,13 @@
 #include <openssl/bn.h>
 
 static int pkey_ex_idx = 0;
+
+#if OPENSSL_VERSION_NUMBER < 0x40000000L
 static EVP_PKEY_METHOD *pkcs11_ed25519_method = NULL;
 static EVP_PKEY_METHOD *pkcs11_ed448_method = NULL;
 static const EVP_PKEY_METHOD *orig_ed25519_method = NULL;
 static const EVP_PKEY_METHOD *orig_ed448_method = NULL;
+#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 
 int (*orig_ed25519_digestsign)(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen,
 	const unsigned char *tbs, size_t tbslen);
@@ -58,6 +61,8 @@ static void alloc_pkey_ex_index(void)
 	}
 }
 
+#if OPENSSL_VERSION_NUMBER < 0x40000000L
+
 static void free_pkey_ex_index(void)
 {
 	if (pkey_ex_idx > 0) {
@@ -343,6 +348,8 @@ void pkcs11_ed_key_method_free(void)
 	}
 }
 
+#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
+
 void pkcs11_set_ex_data_pkey(EVP_PKEY *pkey, PKCS11_OBJECT_private *key)
 {
 	EVP_PKEY_set_ex_data(pkey, pkey_ex_idx, key);
@@ -445,16 +452,20 @@ static EVP_PKEY *pkcs11_get_evp_key_ed25519(PKCS11_OBJECT_private *key)
 		return NULL;
 
 	if (key->object_class == CKO_PRIVATE_KEY) {
+#if OPENSSL_VERSION_NUMBER < 0x40000000L
 		/* global initialize ED25519 EVP_PKEY_METHOD */
 		if (!pkcs11_ed25519_method_new()) {
 			EVP_PKEY_free(pkey);
 			return NULL;
 		}
+#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 		/* creates a new EVP_PKEY object which requires its own key object reference */
 		alloc_pkey_ex_index();
 		key = pkcs11_object_ref(key);
 		pkcs11_set_ex_data_pkey(pkey, key);
+#if OPENSSL_VERSION_NUMBER < 0x40000000L
 		atexit(pkcs11_ed25519_method_free);
+#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 	}
 	return pkey;
 }
@@ -476,16 +487,20 @@ static EVP_PKEY *pkcs11_get_evp_key_ed448(PKCS11_OBJECT_private *key)
 		return NULL;
 
 	if (key->object_class == CKO_PRIVATE_KEY) {
+#if OPENSSL_VERSION_NUMBER < 0x40000000L
 		/* global initialize ED448 EVP_PKEY_METHOD */
 		if (!pkcs11_ed448_method_new()) {
 			EVP_PKEY_free(pkey);
 			return NULL;
 		}
+#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 		/* create a new EVP_PKEY object which requires its own key object reference */
 		alloc_pkey_ex_index();
 		key = pkcs11_object_ref(key);
 		pkcs11_set_ex_data_pkey(pkey, key);
+#if OPENSSL_VERSION_NUMBER < 0x40000000L
 		atexit(pkcs11_ed448_method_free);
+#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 	}
 	return pkey;
 }

src/p11_load.c

@@ -184,9 +184,9 @@ void pkcs11_CTX_free(PKCS11_CTX *ctx)
 #if OPENSSL_VERSION_NUMBER >= 0x10100002L
 #ifndef OPENSSL_NO_EC
 	pkcs11_ec_key_method_free();
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L
 	pkcs11_ed_key_method_free();
-# endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+# endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_VERSION_NUMBER < 0x40000000L */
 #endif /* OPENSSL_NO_EC */
 #else /* OPENSSL_VERSION_NUMBER */
 #ifndef OPENSSL_NO_ECDSA

src/p11_pkey.c

@@ -21,6 +21,8 @@
 #include "libp11-int.h"
 #include <string.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x40000000L
+
 static int (*orig_pkey_rsa_sign_init) (EVP_PKEY_CTX *ctx);
 static int (*orig_pkey_rsa_sign) (EVP_PKEY_CTX *ctx,
 	unsigned char *sig, size_t *siglen,
@@ -30,21 +32,22 @@ static int (*orig_pkey_rsa_decrypt) (EVP_PKEY_CTX *ctx,
 	unsigned char *out, size_t *outlen,
 	const unsigned char *in, size_t inlen);
 
-#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_EC
 static int (*orig_pkey_ec_sign_init) (EVP_PKEY_CTX *ctx);
 static int (*orig_pkey_ec_sign) (EVP_PKEY_CTX *ctx,
 	unsigned char *sig, size_t *siglen,
 	const unsigned char *tbs, size_t tbslen);
 
-# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#  if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static int (*orig_pkey_ed25519_digestsign)(EVP_MD_CTX *ctx,
 	unsigned char *sig, size_t *siglen,
 	const unsigned char *tbs, size_t tbslen);
 static int (*orig_pkey_ed448_digestsign)(EVP_MD_CTX *ctx,
 	unsigned char *sig, size_t *siglen,
 	const unsigned char *tbs, size_t tbslen);
-# endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
-#endif /* OPENSSL_NO_EC */
+#  endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+# endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
 
 #if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
 
@@ -151,6 +154,7 @@ static void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth,
 }
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x40000000L
 static CK_MECHANISM_TYPE pkcs11_md2ckm(const EVP_MD *md)
 {
 	switch (EVP_MD_type(md)) {
@@ -937,4 +941,6 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
 	return 0;
 }
 
+#endif /* OPENSSL_VERSION_NUMBER < 0x40000000L */
+
 /* vim: set noexpandtab: */

tests/case-insensitive.softhsm

@@ -39,34 +39,38 @@ MIXED_PUB_KEY="pKcS11:token=libp11-0;id=%01%02%03%04;object=server-key-0;type=pu
 init_token "rsa" "1" "libp11" ${ID} "server-key" "privkey" "pubkey" "cert"
 
 # Load openssl settings
-TEMP_LD_LIBRARY_PATH=${LD_LIBRARY_PATH}
 . ${srcdir}/openssl-settings.sh
 
+# Restore openssl settings
+trap cleanup EXIT
+
 # Run the test
 ${WRAPPER} ./evp-sign default false "${outdir}/engines.cnf" \
 	${ALL_LOWER_PRIV_KEY} ${ALL_LOWER_PUB_KEY} ${MODULE}
-if [[ $? -ne 0 ]]; then
-	echo "All lower case PKCS#11 URI scheme detection failed"
+rc=$?
+if [[ $rc -eq 77 ]]; then
+	echo "PKCS#11 URI scheme detection test skipped."
+	rm -rf "$outdir"
+	exit 77
+elif [[ $rc -ne 0 ]]; then
+	echo "All lower case PKCS#11 URI scheme detection failed."
 	exit 1
 fi
 
 ./evp-sign default false "${outdir}/engines.cnf" \
 	${ALL_UPPER_PRIV_KEY} ${ALL_UPER_PUB_KEY} ${MODULE}
 if [[ $? -ne 0 ]]; then
-	echo "All upper case PKCS#11 URI scheme detection failed"
+	echo "All upper case PKCS#11 URI scheme detection failed."
 	exit 1
 fi
 
 ./evp-sign default false "${outdir}/engines.cnf" \
 	${MIXED_PRIV_KEY} ${MIXED_PUB_KEY} ${MODULE}
 if [[ $? -ne 0 ]]; then
-	echo "Mixed case PKCS#11 URI scheme detection failed"
+	echo "Mixed case PKCS#11 URI scheme detection failed."
 	exit 1
 fi
 
-# Restore settings
-export LD_LIBRARY_PATH=${TEMP_LD_LIBRARY_PATH}
-
 rm -rf "$outdir"
 
 exit 0

tests/check-all-prov.c

@@ -85,10 +85,13 @@ int main(int argc, char *argv[])
 	return ret;
 }
 
-#else
+#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+
+#include <stdio.h>
 
 int main() {
-	return 0;
+	fprintf(stderr, "Skipped: requires OpenSSL >= 3.0\n");
+	return 77;
 }
 
 #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */

tests/check-privkey-prov.c

@@ -84,10 +84,13 @@ int main(int argc, char *argv[])
 	return ret;
 }
 
-#else
+#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+
+#include <stdio.h>
 
 int main() {
-	return 0;
+	fprintf(stderr, "Skipped: requires OpenSSL >= 3.0\n");
+	return 77;
 }
 
 #endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */

tests/check-privkey.c

@@ -31,6 +31,8 @@
 #include <openssl/pem.h>
 #include <openssl/err.h>
 
+#ifndef OPENSSL_NO_ENGINE
+
 static void usage(char *argv[])
 {
 	fprintf(stderr, "%s [certificate (PEM or URL)] [private key URL] "
@@ -188,4 +190,15 @@ int main(int argc, char *argv[])
 	return ret;
 }
 
+#else /* OPENSSL_NO_ENGINE */
+
+#include <stdio.h>
+
+int main() {
+	fprintf(stderr, "Skipped: ENGINE support not available\n");
+	return 77;
+}
+
+#endif /* OPENSSL_NO_ENGINE */
+
 /* vim: set noexpandtab: */