From 477878d5a454e2e69c03e3517801f50ed97fc92b Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 15 Oct 2025 17:53:09 +0200 Subject: [PATCH 01/14] util/log.c LOG_generic(): fix to-the-point compiler warnings on size and signedness of string length and snprintf result --- src/libsecutils/src/util/log.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/libsecutils/src/util/log.c b/src/libsecutils/src/util/log.c index 7739037..3181ea3 100644 --- a/src/libsecutils/src/util/log.c +++ b/src/libsecutils/src/util/log.c @@ -180,10 +180,13 @@ bool LOG_generic(OPTIONAL const char* func, OPTIONAL const char* file, int linen char loc[loc_len]; memset(loc, 0x00, loc_len); - int len = snprintf(loc, sizeof(loc), "%s", app_name); #ifndef NDEBUG + int len = snprintf(loc, sizeof(loc), "%s", app_name); + if (len < 0) + len = 0; /* on error, cannot assume any string written to loc buffer */ /* print function name, source file name, and line number only if debugging is enabled at build time */ - (void)snprintf(loc + len, sizeof(loc) - len, ":%s():%s:%d:", func, file, lineno); + if (snprintf(loc + len, sizeof(loc) - (size_t)len, ":%s():%s:%d:", func, file, lineno) < 0) + loc[0] = '\0'; /* on error, resort to empty string */ #endif /* print string corresponding to level */ @@ -223,8 +226,8 @@ bool LOG_generic(OPTIONAL const char* func, OPTIONAL const char* file, int linen } /* print message, making sure that newline is printed */ - len = strlen(msg); - const int msg_nl = len > 0 and msg[len - 1] is_eq '\n'; + size_t msg_len = strlen(msg); + const int msg_nl = msg_len > 0 and msg[msg_len - 1] is_eq '\n'; const int ret = fprintf(fd, "%s %s: %s%s", loc, lvl, msg, msg_nl ? "" : "\n"); /* make sure that printing is done right away, return info on success */ From 6103eb9814494256e87655a0e2a0fbdc8c9d3fb4 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 15 Oct 2025 14:59:35 +0200 Subject: [PATCH 02/14] UTIL_parse_name(): fix type of 'chtype' parameter --- src/libsecutils/include/secutils/credentials/cert.h | 2 +- src/libsecutils/src/credentials/cert.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libsecutils/include/secutils/credentials/cert.h b/src/libsecutils/include/secutils/credentials/cert.h index c83a6f4..9422898 100644 --- a/src/libsecutils/include/secutils/credentials/cert.h +++ b/src/libsecutils/include/secutils/credentials/cert.h @@ -109,7 +109,7 @@ void CERTS_free(OPTIONAL STACK_OF(X509) *certs); * @return ASN.1 representation of the DN, or null on error *******************************************************************************/ /* this function is used by the genCMPClient API implementation */ -X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn); +X509_NAME* UTIL_parse_name(const char* dn, int chtype, bool multirdn); /*!***************************************************************************** diff --git a/src/libsecutils/src/credentials/cert.c b/src/libsecutils/src/credentials/cert.c index 9e34eb1..651478f 100644 --- a/src/libsecutils/src/credentials/cert.c +++ b/src/libsecutils/src/credentials/cert.c @@ -77,7 +77,7 @@ void CERTS_free(OPTIONAL STACK_OF(X509) *certs) * The NULL-DN may be given as "/" or "". */ /* adapted from OpenSSL:apps/lib/apps.c */ -X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn) +X509_NAME* UTIL_parse_name(const char* dn, int chtype, bool multirdn) { size_t buflen = strlen(dn) + 1; /* to copy the types and values. * Due to escaping, the copy can only become shorter */ From cbe3b0fd661e6a243cbc19c54ab7ba9a75c9c2de Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 15 Oct 2025 17:39:21 +0200 Subject: [PATCH 03/14] CREDENTIALS_new(): fix OPTIONAL label of cert parameter, update decl style --- src/libsecutils/include/secutils/credentials/credentials.h | 6 +++--- src/libsecutils/src/credentials/credentials.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/libsecutils/include/secutils/credentials/credentials.h b/src/libsecutils/include/secutils/credentials/credentials.h index 6b6d1f6..96994e2 100644 --- a/src/libsecutils/include/secutils/credentials/credentials.h +++ b/src/libsecutils/include/secutils/credentials/credentials.h @@ -40,9 +40,9 @@ typedef const char* component_creds_id; /**< component credentials identifier */ * @return pointer to a new CREDENTIALS structure, or null on error *******************************************************************************/ /* this function is part of the genCMPClient API */ -CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY* pkey, OPTIONAL const OPTIONAL X509* cert, - OPTIONAL const STACK_OF(X509) * chain, OPTIONAL const char* pwd, - OPTIONAL const char* pwdref); +CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY *pkey, OPTIONAL const X509 *cert, + OPTIONAL const STACK_OF(X509) *chain, OPTIONAL const char *pwd, + OPTIONAL const char *pwdref); /*!***************************************************************************** * @brief get private key component of the given credentials diff --git a/src/libsecutils/src/credentials/credentials.c b/src/libsecutils/src/credentials/credentials.c index e0009e6..e43c6ce 100644 --- a/src/libsecutils/src/credentials/credentials.c +++ b/src/libsecutils/src/credentials/credentials.c @@ -40,9 +40,9 @@ struct credentials } /* CREDENTIALS */; -CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY* pkey, const OPTIONAL X509* cert, - OPTIONAL const STACK_OF(X509) * chain, OPTIONAL const char* pwd, - OPTIONAL const char* pwdref) +CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY *pkey, OPTIONAL const X509 *cert, + OPTIONAL const STACK_OF(X509) *chain, OPTIONAL const char *pwd, + OPTIONAL const char *pwdref) { const char* pass = pwd; if (pwd not_eq 0 and strncmp(pwd, sec_PASS_STR, strlen(sec_PASS_STR)) is_eq 0) From c2500e4863a584bbf522fdb9a06a8a905a17d975 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 15 Oct 2025 17:47:01 +0200 Subject: [PATCH 04/14] constify some parameters of STORE_*() functions --- src/libsecutils/include/secutils/credentials/store.h | 8 ++++---- src/libsecutils/src/credentials/store.c | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/libsecutils/include/secutils/credentials/store.h b/src/libsecutils/include/secutils/credentials/store.h index 4e9967f..d404fd7 100644 --- a/src/libsecutils/include/secutils/credentials/store.h +++ b/src/libsecutils/include/secutils/credentials/store.h @@ -62,7 +62,7 @@ bool STORE_set1_desc(X509_STORE* store, OPTIONAL const char* desc); * @param store the certificate trust store * @return description to use for diagnostics, or null on failure or if not set */ -const char* STORE_get0_desc(OPTIONAL X509_STORE* store); +const char *STORE_get0_desc(OPTIONAL const X509_STORE *store); /*!***************************************************************************** * @brief set various optional verification parameters in the given trust store @@ -127,8 +127,8 @@ bool STORE_set_crl_callback(X509_STORE* store, * @param desc description of the CRL to use for any error messages, or null * @return pointer to downloaded CRL, or null on error */ -X509_CRL* STORE_fetch_crl(X509_STORE* store, OPTIONAL const char* url, int timeout, - const X509* cert, OPTIONAL const char* desc); +X509_CRL *STORE_fetch_crl(const X509_STORE *store, OPTIONAL const char *url, int timeout, + const X509 *cert, OPTIONAL const char *desc); /*! * @brief create or extend cert store structure with any given cert(s) @@ -262,7 +262,7 @@ bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host); * @param store the certificate store to read from * @return the first host name that has been set, or null if unset or on failure */ -const char* STORE_get0_host(X509_STORE* store); +const char *STORE_get0_host(const X509_STORE *store); # ifndef SECUTILS_NO_TLS /*! diff --git a/src/libsecutils/src/credentials/store.c b/src/libsecutils/src/credentials/store.c index ff02798..f5bb47d 100644 --- a/src/libsecutils/src/credentials/store.c +++ b/src/libsecutils/src/credentials/store.c @@ -120,7 +120,7 @@ static void STORE_EX_free_index(void) } } -static STORE_EX* STORE_get_ex_data(X509_STORE* store) +static STORE_EX *STORE_get_ex_data(const X509_STORE *store) { STORE_EX* res = 0; if(store is_eq 0) @@ -129,7 +129,7 @@ static STORE_EX* STORE_get_ex_data(X509_STORE* store) } else { - res = X509_STORE_get_ex_data(store, STORE_EX_data_idx); + res = X509_STORE_get_ex_data((/* needed for OpenSSL < 3.0: */ X509_STORE *)store, STORE_EX_data_idx); if(res is_eq 0) { LOG(FL_ERR, "STORE_EX not found"); @@ -617,7 +617,7 @@ bool STORE_set1_desc(X509_STORE* store, OPTIONAL const char *desc) return (ex_data->desc == NULL) == (desc == NULL); } -const char* STORE_get0_desc(OPTIONAL X509_STORE* store) +const char *STORE_get0_desc(OPTIONAL const X509_STORE *store) { if(0 is_eq store) { @@ -799,8 +799,8 @@ static X509_CRL *load_crl_http(OPTIONAL void *arg, OPTIONAL const char *url, int return 0; } -X509_CRL* STORE_fetch_crl(X509_STORE* ts, OPTIONAL const char* url, int timeout, - const X509* cert, OPTIONAL const char* desc) +X509_CRL *STORE_fetch_crl(const X509_STORE *ts, OPTIONAL const char *url, int timeout, + const X509 *cert, OPTIONAL const char *desc) { if (url not_eq 0 and strncmp(url, "file:", 5) is_eq 0) { @@ -843,7 +843,7 @@ bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host) return true; } -const char* STORE_get0_host(X509_STORE* store) +const char *STORE_get0_host(const X509_STORE *store) { const STORE_EX* ex_data = STORE_get_ex_data(store); const char* host = ex_data not_eq 0 ? ex_data->host : 0; From 0d7e5d992a6b1c2bcef819ee45f3a040b4e6f5bd Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 15 Oct 2025 19:16:19 +0200 Subject: [PATCH 05/14] STORE_set1_host{,_ip}(),STORE_get0_host(): clean up for OpenSSL 3.0+: remove ex_data->host and update comments --- .../include/secutils/credentials/store.h | 3 +- src/libsecutils/src/credentials/store.c | 48 +++++++++++++------ src/libsecutils/src/credentials/verify.c | 3 -- 3 files changed, 36 insertions(+), 18 deletions(-) diff --git a/src/libsecutils/include/secutils/credentials/store.h b/src/libsecutils/include/secutils/credentials/store.h index d404fd7..ba1cde7 100644 --- a/src/libsecutils/include/secutils/credentials/store.h +++ b/src/libsecutils/include/secutils/credentials/store.h @@ -252,7 +252,8 @@ bool STORE_EX_check_index(void); * @param store the affected certificate store * @param host the host name to set, or null to clear it * @return true on success, false on failure - * @note since OpenSSL 3.0, this is no more needed due to X509_VERIFY_PARAM_get0_host() being available + * @note since OpenSSL 3.0, due to X509_VERIFY_PARAM_get0_host() being available, + * this function is no more needed and just returns true */ bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host); diff --git a/src/libsecutils/src/credentials/store.c b/src/libsecutils/src/credentials/store.c index f5bb47d..42034de 100644 --- a/src/libsecutils/src/credentials/store.c +++ b/src/libsecutils/src/credentials/store.c @@ -34,8 +34,9 @@ typedef struct STORE_ex_st BIO* tls_bio; /* indicates CMP_PKIMESSAGE_http_perform() with TLS is active */ #endif const char* desc; /* description to be used for diagnostic purposes */ +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 const char* host; /* expected host name in cert, for diagnostic purposes */ - /* Since OpenSSL 3.0, the host part could be replaced by using X509_VERIFY_PARAM_get0_host() */ +#endif CONN_load_crl_cb_t crl_cb; OPTIONAL void* crl_cb_arg; revstatus_access cdps; @@ -80,7 +81,9 @@ static void STORE_EX_free(ossl_unused X509_STORE* ts, STORE_EX* ex_data, ossl_un if(0 not_eq ex_data) { OPENSSL_free((char*)ex_data->desc); +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 OPENSSL_free((char*)ex_data->host); +#endif OPENSSL_free((char*)ex_data->cdps.urls); OPENSSL_free((char*)ex_data->ocsp.urls); OPENSSL_free(ex_data); @@ -478,7 +481,10 @@ bool STORE_set1_host_ip(X509_STORE* ts, OPTIONAL const char* name, OPTIONAL cons X509_VERIFY_PARAM* ts_vpm = X509_STORE_get0_param(ts); /* first clear any host names, IP addresses, and email addresses */ - if(not STORE_set1_host(ts, 0) or + if( +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 + not STORE_set1_host(ts, 0) or +#endif 0 is_eq X509_VERIFY_PARAM_set1_host(ts_vpm, 0, 0) or 0 is_eq X509_VERIFY_PARAM_set1_ip(ts_vpm, 0, 0) or 0 is_eq X509_VERIFY_PARAM_set1_email(ts_vpm, 0, 0)) @@ -515,15 +521,19 @@ bool STORE_set1_host_ip(X509_STORE* ts, OPTIONAL const char* name, OPTIONAL cons } if(name_str not_eq 0 and (ip_str is_eq 0 or (res is_eq false and strcmp(name, ip) is_eq 0))) { - /* Unfortunately, before OpenSSL 3.0, there was no API function for retrieving the - hostname/ip entries in X509_VERIFY_PARAM. So we store the host value - in ex_data for use in CREDENTIALS_print_cert_verify_cb(). */ res = X509_VERIFY_PARAM_set1_host(ts_vpm, name_str, 0) not_eq 0; +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 + /* + * Before OpenSSL 3.0, there was no API function for retrieving the + * hostname/ip entries in X509_VERIFY_PARAM. So we store the host value + * in ex_data for use in CREDENTIALS_print_cert_verify_cb(). + * Since OpenSSL 3.0, this is no more needed as X509_VERIFY_PARAM_get0_host() is available. + */ if(res not_eq false) { - /* Since OpenSSL 3.0, this is no more needed due to X509_VERIFY_PARAM_get0_host() being available */ res = STORE_set1_host(ts, name_str); } +#endif } if(res is_eq false) { @@ -833,6 +843,7 @@ X509_CRL *STORE_fetch_crl(const X509_STORE *ts, OPTIONAL const char *url, int ti /* Since OpenSSL 3.0, this is no more needed due to X509_VERIFY_PARAM_get0_host() being available */ bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host) { +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 STORE_EX* ex_data = STORE_get_ex_data(store); if(ex_data is_eq 0) { @@ -841,20 +852,29 @@ bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host) OPENSSL_free((char*)ex_data->host); ex_data->host = OPENSSL_strdup(host); return true; +#else + /* prevent warnings on unused parameters: */ + (void)store; + (void)host; + return true; +#endif } const char *STORE_get0_host(const X509_STORE *store) { +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 + /* + * Before OpenSSL 3.0, there is no OpenSSL API function for retrieving the + * hostname/ip entries in X509_VERIFY_PARAM. So we use ts->ex_data. + * This works for names we set ourselves but not verify_hostname. + */ const STORE_EX* ex_data = STORE_get_ex_data(store); - const char* host = ex_data not_eq 0 ? ex_data->host : 0; -#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_3_0_0 - if (host is_eq 0) - { - X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(store); - host = X509_VERIFY_PARAM_get0_host(vpm, 0 /* first hostname set in store vpm */); - } + + return ex_data != NULL ? ex_data->host : NULL; +#else + /* first hostname set in store vpm: */ + return X509_VERIFY_PARAM_get0_host(X509_STORE_get0_param(store), 0); #endif - return host; } #ifndef SECUTILS_NO_TLS diff --git a/src/libsecutils/src/credentials/verify.c b/src/libsecutils/src/credentials/verify.c index 7fd8f83..0ffaaa7 100644 --- a/src/libsecutils/src/credentials/verify.c +++ b/src/libsecutils/src/credentials/verify.c @@ -93,9 +93,6 @@ int CREDENTIALS_print_cert_verify_cb(int ok, X509_STORE_CTX* store_ctx) break; case X509_V_ERR_HOSTNAME_MISMATCH: case X509_V_ERR_IP_ADDRESS_MISMATCH: - /* Unfortunately there is no OpenSSL API function for retrieving the - hostname/ip entries in X509_VERIFY_PARAM. So we use ts->ex_data. - This works for names we set ourselves but not verify_hostname. */ expected = STORE_get0_host(ts); break; case X509_V_ERR_INVALID_PURPOSE: From 7c1c69df96c439e29f9a269b504cf1d030a56291 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Wed, 15 Oct 2025 17:31:56 +0200 Subject: [PATCH 06/14] fix CONN_IS_IP_ADDR() introducing more correct CONN_is_IP_address() --- .../include/secutils/connections/conn.h | 10 +++++- src/libsecutils/src/connections/conn.c | 32 +++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/src/libsecutils/include/secutils/connections/conn.h b/src/libsecutils/include/secutils/connections/conn.h index 068b03c..c6be0bc 100644 --- a/src/libsecutils/include/secutils/connections/conn.h +++ b/src/libsecutils/include/secutils/connections/conn.h @@ -24,7 +24,15 @@ static const char* const CONN_https_prefix = "https://"; #define CONN_IS_HTTP( uri) ((uri) != NULL && HAS_PREFIX(uri, OSSL_HTTP_PREFIX )) #define CONN_IS_HTTPS(uri) ((uri) != NULL && HAS_PREFIX(uri, OSSL_HTTPS_PREFIX)) -#define CONN_IS_IP_ADDR(host) ((host) != NULL && ((*(host) >= '0' && *(host) <= '9') || *(host) == '[')) +#define CONN_IS_IP_ADDR(host) CONN_is_IP_address(host) + +/*!***************************************************************************** + * @brief check if host string is an IP address (as opposed to domain name) + * @note an IPv6 address must be enclosed in '[' and ']'. + * @param host identifier string to be checked, or null. + * @return 1 if string is an IP address, 0 otherwise + ******************************************************************************/ +bool CONN_is_IP_address(OPTIONAL const char *host); /*!***************************************************************************** * @brief parse hostname or URI of the form "[http[s]://][@][:][/]" diff --git a/src/libsecutils/src/connections/conn.c b/src/libsecutils/src/connections/conn.c index c8f6368..6499670 100644 --- a/src/libsecutils/src/connections/conn.c +++ b/src/libsecutils/src/connections/conn.c @@ -21,8 +21,40 @@ # include #endif +/* for getaddrinfo() and freeaddrinfo() */ +#include +#include +#include +#ifdef _WIN32 +# include +# include +#endif + #include +bool CONN_is_IP_address(OPTIONAL const char *host) +{ + size_t len; + struct addrinfo hints, *res; + int ret; + + if (host == NULL) + return false; + + /* presume IPv6 address literal if host has the form "[]" */ + len = strlen(host); + if (len > 2 && *host == '[' && strchr(host + 1, '[') == NULL + && strchr(host + 1, ']') == host + len - 1) + return true; + + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_NUMERICHOST; + ret = getaddrinfo(host, NULL, &hints, &res); + if (res != NULL) + freeaddrinfo(res); + return ret == 0; +} + static const char* skip_scheme(const char* str) { const char *scheme_end = strstr(str, CONN_scheme_postfix); From 0490fd7097dc5582fce43de1a99f1c2f8fbd1a11 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 16 Oct 2025 21:30:49 +0200 Subject: [PATCH 07/14] replace deprecated OCSP_parse_url() by OSSL_HTTP_parse_url() with OpenSSL 3.0+ --- src/libsecutils/src/connections/http.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/libsecutils/src/connections/http.c b/src/libsecutils/src/connections/http.c index 3859e96..179a17a 100644 --- a/src/libsecutils/src/connections/http.c +++ b/src/libsecutils/src/connections/http.c @@ -29,6 +29,10 @@ # endif # include +# if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0 +# define OSSL_HTTP_parse_url(url, s, u, h, p, n, path, q, f) OCSP_parse_url(url, h, p, path, s) +# endif + /* TODO replace this all by new API in http.h of OpenSSL 3.0 */ static int REQ_CTX_i2d(OCSP_REQ_CTX* rctx, const char* content_type, @@ -196,7 +200,7 @@ ASN1_VALUE* CONN_load_ASN1_http(const char* url, int req_timeout, LOG(FL_ERR, "null URL argument for downloading %s", desc); return 0; } - if(not OCSP_parse_url(url, &host, &port, &path, &use_ssl)) + if(not OSSL_HTTP_parse_url(url, &use_ssl, NULL, &host, &port, NULL, &path, NULL, NULL)) { LOG(FL_ERR, "cannot parse URL: '%s' for downloading %s", url, desc); goto err; From 349ead2df7a42e48370a8d51499c31cd37ef944f Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 16 Oct 2025 20:56:29 +0200 Subject: [PATCH 08/14] README.md: updates w.r.t. SW tool versions known to work here --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a30208c..83f21f5 100644 --- a/README.md +++ b/README.md @@ -48,10 +48,10 @@ also on a virtual machine or the Windows Subsystem for Linux ([WSL](https://docs and with MacOS. The following network and development tools are needed or recommended. -* Git (for getting the software, tested versions include 2.7.2, 2.11.0, 2.20, 2.30.2, 2.39.2, 2.47.0) -* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested versions include 3.18.4, 3.26.3, 3.27.7, 3.30.5) +* Git (for getting the software, tested versions include 2.7.2, 2.11.0, 2.20, 2.34.1, 2.48.0) +* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested versions include 3.18.4, 3.22.1, 3.27.7, 3.31.5) * GNU make (tested versions include 3.81, 4.1, 4.2.1, 4.3) -* GNU C compiler (gcc, tested versions include 5.4.0, 7.3.0, 8.3.0, 10.0.1, 10.2.1, 12.2.0) +* GNU C compiler (gcc, tested versions include 5.4.0, 7.3.0, 8.3.0, 10.2.1, 11.4.0, 12.2.0) or clang (tested versions include 14.0.3, 17.0.3, 19.1.1) The following OSS components are used. From 23eb5a7705f78349fff0252e0a1550cffedebb60 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 16 Oct 2025 20:57:16 +0200 Subject: [PATCH 09/14] CMakeLists.txt: bump cmake_minimum_required to 3.18 (to prevent warnings) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 9b5fa64..c7df4a9 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,4 +1,4 @@ -cmake_minimum_required(VERSION 3.13) +cmake_minimum_required(VERSION 3.18) project( security-utilities From 14070c131523b231fb732099e2d57093966bf564 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 16 Oct 2025 21:32:00 +0200 Subject: [PATCH 10/14] CMakeLists.txt: fix TODO for not using OpenSSL SSL component if SECUTILS_NO_TLS --- CMakeLists.txt | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index c7df4a9..e3eb5c6 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -28,7 +28,11 @@ if(NOT DEFINED OPENSSL_ROOT_DIR AND NOT "$ENV{OPENSSL_DIR}" STREQUAL "") endif() if(NOT DEFINED OPENSSL_FOUND) # not already done by superordinate module set(OPENSSL_VERSION "(unknown)") - set(OPENSSL_COMPONENTS COMPONENTS Crypto SSL) # TODO SSL should not be needed if SECUTILS_NO_TLS + if(${SECUTILS_NO_TLS}) + set(OPENSSL_COMPONENTS COMPONENTS Crypto) + else() + set(OPENSSL_COMPONENTS COMPONENTS Crypto SSL) + endif() if(DEFINED OPENSSL_ROOT_DIR) find_package(OpenSSL HINTS "${OPENSSL_ROOT_DIR}" NO_DEFAULT_PATH ${OPENSSL_COMPONENTS}) else() From 9f9c1fb092b194e9de77c4c23445ead15cd43b96 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Thu, 16 Oct 2025 21:32:44 +0200 Subject: [PATCH 11/14] CMakeLists.txt: make sure to respect any set OPENSSL_DIR, in particular with macOS --- CMakeLists.txt | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index e3eb5c6..beec7e5 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -22,9 +22,8 @@ endif() message(STATUS "Build mode: ${CMAKE_BUILD_TYPE}") # improved from https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html -if(NOT DEFINED OPENSSL_ROOT_DIR AND NOT "$ENV{OPENSSL_DIR}" STREQUAL "") +if(NOT "$ENV{OPENSSL_DIR}" STREQUAL "") get_filename_component(OPENSSL_ROOT_DIR "$ENV{OPENSSL_DIR}" ABSOLUTE) - set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include") endif() if(NOT DEFINED OPENSSL_FOUND) # not already done by superordinate module set(OPENSSL_VERSION "(unknown)") @@ -34,7 +33,16 @@ if(NOT DEFINED OPENSSL_FOUND) # not already done by superordinate module set(OPENSSL_COMPONENTS COMPONENTS Crypto SSL) endif() if(DEFINED OPENSSL_ROOT_DIR) - find_package(OpenSSL HINTS "${OPENSSL_ROOT_DIR}" NO_DEFAULT_PATH ${OPENSSL_COMPONENTS}) + if(APPLE) # on macOS, work around find_package() not respecting HINTS and NO_DEFAULT_PATH + set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include") + file(READ "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSLV_CONTENT) + string(REGEX MATCH "OpenSSL ([0-9]+\\.[0-9]+\\.[0-9]+[^ ]*)" VERSION_MATCH "${OPENSSLV_CONTENT}") + if(VERSION_MATCH) + string(REGEX REPLACE "OpenSSL " "" OPENSSL_VERSION "${VERSION_MATCH}") + endif() + else() + find_package(OpenSSL HINTS "${OPENSSL_ROOT_DIR}" NO_DEFAULT_PATH ${OPENSSL_COMPONENTS}) + endif() else() find_package(OpenSSL ${OPENSSL_COMPONENTS}) endif() From 1d247f2eb03986ce268d7be969a331a0287d0c11 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 17 Oct 2025 13:11:13 +0200 Subject: [PATCH 12/14] CMakeLists.txt: fix setting OPENSSL_VERSION, OPENSSL_INCLUDE_DIR, and OPENSSL_LIB --- CMakeLists.txt | 54 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 35 insertions(+), 19 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index beec7e5..2dafb1d 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -24,42 +24,59 @@ message(STATUS "Build mode: ${CMAKE_BUILD_TYPE}") # improved from https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html if(NOT "$ENV{OPENSSL_DIR}" STREQUAL "") get_filename_component(OPENSSL_ROOT_DIR "$ENV{OPENSSL_DIR}" ABSOLUTE) + if(NOT TARGET OpenSSL::Crypto) # not already handled by superordinate module + # invalidate defaults from CMakeCache.txt + set(OPENSSL_VERSION "") + set(OPENSSL_INCLUDE_DIR "") + set(OPENSSL_LIB_SET FALSE) + set(OPENSSL_CRYPTO_LIBRARY "") + set(OPENSSL_SSL_LIBRARY "") + endif() endif() -if(NOT DEFINED OPENSSL_FOUND) # not already done by superordinate module - set(OPENSSL_VERSION "(unknown)") +if(NOT "$ENV{OPENSSL_DIR}" STREQUAL "" OR + NOT TARGET OpenSSL::Crypto) # not already done by superordinate module if(${SECUTILS_NO_TLS}) set(OPENSSL_COMPONENTS COMPONENTS Crypto) else() set(OPENSSL_COMPONENTS COMPONENTS Crypto SSL) endif() if(DEFINED OPENSSL_ROOT_DIR) - if(APPLE) # on macOS, work around find_package() not respecting HINTS and NO_DEFAULT_PATH - set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include") - file(READ "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSLV_CONTENT) - string(REGEX MATCH "OpenSSL ([0-9]+\\.[0-9]+\\.[0-9]+[^ ]*)" VERSION_MATCH "${OPENSSLV_CONTENT}") - if(VERSION_MATCH) - string(REGEX REPLACE "OpenSSL " "" OPENSSL_VERSION "${VERSION_MATCH}") - endif() - else() + if(NOT APPLE) # on macOS, work around find_package() not respecting HINTS and NO_DEFAULT_PATH find_package(OpenSSL HINTS "${OPENSSL_ROOT_DIR}" NO_DEFAULT_PATH ${OPENSSL_COMPONENTS}) endif() else() find_package(OpenSSL ${OPENSSL_COMPONENTS}) endif() - STRING(REGEX REPLACE "/?/libcrypto\..*" "" OPENSSL_LIB "${OPENSSL_CRYPTO_LIBRARY}") + STRING(REGEX REPLACE ";.*" "" OPENSSL_INCLUDE_DIR "${OPENSSL_INCLUDE_DIR}") + if(NOT OPENSSL_INCLUDE_DIR) + set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include") + endif() + if(NOT OPENSSL_VERSION) + file(READ "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSLV_CONTENT) + string(REGEX MATCH "OpenSSL ([0-9]+\\.[0-9]+\\.[0-9]+[^ ]*)" VERSION_MATCH "${OPENSSLV_CONTENT}") + if(VERSION_MATCH) + string(REGEX REPLACE "OpenSSL " "" OPENSSL_VERSION "${VERSION_MATCH}") + else() + set(OPENSSL_VERSION "(unknown)") + endif() + endif() endif() message(STATUS "using OpenSSL version ${OPENSSL_VERSION}") message(STATUS "using OpenSSL inc dir ${OPENSSL_INCLUDE_DIR}") -STRING(REGEX REPLACE ";.*" "" OPENSSL_INCLUDE_DIR "${OPENSSL_INCLUDE_DIR}") if(NOT EXISTS "${OPENSSL_INCLUDE_DIR}/openssl") message(FATAL_ERROR "OpenSSL include directory does not exist: ${OPENSSL_INCLUDE_DIR}/openssl") endif() -if("$ENV{OPENSSL_LIB}" STREQUAL "" AND NOT "$ENV{OPENSSL_DIR}" STREQUAL "") - set(ENV{OPENSSL_LIB} $ENV{OPENSSL_DIR}) -endif() -if(NOT DEFINED OPENSSL_LIB_SET AND NOT "$ENV{OPENSSL_LIB}" STREQUAL "") - set(OPENSSL_LIB_SET 1) - get_filename_component(OPENSSL_LIB "$ENV{OPENSSL_LIB}" ABSOLUTE) +if(NOT TARGET OpenSSL::Crypto) # not already done by superordinate module + set(OPENSSL_LIB "$ENV{OPENSSL_LIB}") + if(NOT OPENSSL_LIB) + if (NOT "$ENV{OPENSSL_DIR}" STREQUAL "") + set(OPENSSL_LIB $ENV{OPENSSL_DIR}) + elseif(OPENSSL_CRYPTO_LIBRARY) + get_filename_component(OPENSSL_LIB "${OPENSSL_CRYPTO_LIBRARY}" DIRECTORY) + endif() + endif() + get_filename_component(OPENSSL_LIB "${OPENSSL_LIB}" ABSOLUTE) + message(STATUS "using OpenSSL lib dir ${OPENSSL_LIB}") if(NOT EXISTS "${OPENSSL_LIB}") message(FATAL_ERROR "directory OPENSSL_LIB does not exist: ${OPENSSL_LIB}") endif() @@ -79,7 +96,6 @@ if(NOT DEFINED OPENSSL_LIB_SET AND NOT "$ENV{OPENSSL_LIB}" STREQUAL "") set(OPENSSL_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY} ${OPENSSL_SSL_LIBRARY}) endif() endif() -message(STATUS "using OpenSSL lib dir ${OPENSSL_LIB}") message(STATUS "using OpenSSL library ${OPENSSL_CRYPTO_LIBRARY}, ${OPENSSL_SSL_LIBRARY}") if(NOT EXISTS "${OPENSSL_CRYPTO_LIBRARY}") message(FATAL_ERROR "OpenSSL crypto library file does not exist: ${OPENSSL_CRYPTO_LIBRARY}") From 2e0b97c4193393a819aeadd7f10e61bf2b545513 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 17 Oct 2025 09:38:03 +0200 Subject: [PATCH 13/14] CMakeLists.txt: fix default build mode to be Release; improve related diagnostics --- .github/workflows/build.yml | 4 ++-- CMakeLists.txt | 11 +++++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b1f156f..1bce58e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,9 +31,9 @@ jobs: #sudo apt-get install -y >/dev/null cmake # build-essential git libssl-dev mkdir build cd build - SECUTILS_NO_TLS=1 cmake -S .. -B . + SECUTILS_NO_TLS=1 cmake -S .. -B . # Release by default cmake --build . - SECUTILS_USE_ICV=1 cmake -DCMAKE_BUILD_TYPE=Release -S .. -B . + SECUTILS_USE_ICV=1 cmake -DCMAKE_BUILD_TYPE=Debug -S .. -B . make clean build DESTDIR=tmp make install uninstall make deb diff --git a/CMakeLists.txt b/CMakeLists.txt index 2dafb1d..6523e95 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -8,13 +8,16 @@ message(STATUS "SecurityUtilities version ${security-utilities_VERSION}") # set(CMAKE_VERBOSE_MAKEFILE on) -if(DEFINED ENV{NDEBUG}) - message(STATUS "Setting build type to 'Release' because NDEBUG was set.") +if(DEFINED ENV{NDEBUG} OR NOT CMAKE_BUILD_TYPE MATCHES Debug) + if(DEFINED ENV{NDEBUG}) + message(STATUS "Setting build type to 'Release' because NDEBUG was set.") + elseif(NOT CMAKE_BUILD_TYPE) + message(STATUS "Setting build type to 'Release' by default.") + endif() set(CMAKE_BUILD_TYPE Release # automatically leads to CFLAGS += -DNDEBUG -O3 CACHE STRING "Choose the type of build." FORCE) -elseif(NOT CMAKE_BUILD_TYPE) - message(STATUS "Setting build type to 'Debug' as none was specified.") +else() set(CMAKE_BUILD_TYPE Debug # automatically leads to CFLAGS += -g # -O0 not added by default CACHE STRING "Choose the type of build." FORCE) From e7ce87978eae7f275ce8757eb0f9c2ab8a8294aa Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 17 Oct 2025 08:55:12 +0200 Subject: [PATCH 14/14] CMakeLists.txt,Makefile_v1,debian/: advance to version 2.1 --- CMakeLists.txt | 2 +- Makefile_v1 | 2 +- README.md | 2 +- debian/changelog | 6 ++++++ debian/control | 2 +- 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6523e95..264deae 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.18) project( security-utilities - VERSION 2.0.0 # always 3 components for correct versioning + VERSION 2.1.0 # always 3 components for correct versioning LANGUAGES C) message(STATUS "SecurityUtilities version ${security-utilities_VERSION}") diff --git a/Makefile_v1 b/Makefile_v1 index 2378281..511dc29 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -33,7 +33,7 @@ ifeq ($(OUT_DIR),) override OUT_DIR = . endif -VERSION=2.0 +VERSION=2.1 # must be kept in sync with debian/changelog and CMakeLists.txt # PACKAGENAME=libsecutils # DIRNAME=$(PACKAGENAME)-$(VERSION) diff --git a/README.md b/README.md index 83f21f5..5f21baa 100644 --- a/README.md +++ b/README.md @@ -178,7 +178,7 @@ With that directory, artifacts are placed in the usual subdirectories. ### Building Debian packages -This repository can build the following Debian and source packages. +On Linux, this repository can build the following Debian and source packages. * `libsecutils` -- the shared library * `libsecutils-dev` -- development headers and documentation diff --git a/debian/changelog b/debian/changelog index 222c224..8b48bd2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +libsecutils (2.1) stable; urgency=medium + + * Various fixes on build system, code, and OpenSSL version compatibility + + -- David von Oheimb Fri, 17 Oct 2025 08:53:10 +0200 + libsecutils (2.0) stable; urgency=medium * Improved build system; various small fixes diff --git a/debian/control b/debian/control index 871b3eb..7de033a 100644 --- a/debian/control +++ b/debian/control @@ -18,7 +18,7 @@ Description: OpenSSL enhancement wrapper library With extended support for certficate status checking using CRLs and/or OCSP Package: libsecutils-dev -Depends: libsecutils (>= 2.0), ${misc:Depends} +Depends: libsecutils (>= 2.1), ${misc:Depends} Suggests: libssl-dev, libuta-dev Section: devel Architecture: all