Prepare v2.1; various small fixes on code, build system, docs, and version compatibility

.github/workflows/build.yml

@@ -31,9 +31,9 @@ jobs:
           #sudo apt-get install -y >/dev/null cmake # build-essential git libssl-dev
           mkdir build
           cd build
-          SECUTILS_NO_TLS=1 cmake -S .. -B .
+          SECUTILS_NO_TLS=1 cmake -S .. -B . # Release by default
           cmake --build .
-          SECUTILS_USE_ICV=1 cmake -DCMAKE_BUILD_TYPE=Release -S .. -B .
+          SECUTILS_USE_ICV=1 cmake -DCMAKE_BUILD_TYPE=Debug -S .. -B .
           make clean build
           DESTDIR=tmp make install uninstall
           make deb

CMakeLists.txt

@@ -1,53 +1,85 @@
-cmake_minimum_required(VERSION 3.13)
+cmake_minimum_required(VERSION 3.18)
 
 project(
   security-utilities
-  VERSION 2.0.0 # always 3 components for correct versioning
+  VERSION 2.1.0 # always 3 components for correct versioning
   LANGUAGES C)
 message(STATUS "SecurityUtilities version ${security-utilities_VERSION}")
 
 # set(CMAKE_VERBOSE_MAKEFILE on)
 
-if(DEFINED ENV{NDEBUG})
-  message(STATUS "Setting build type to 'Release' because NDEBUG was set.")
+if(DEFINED ENV{NDEBUG} OR NOT CMAKE_BUILD_TYPE MATCHES Debug)
+  if(DEFINED ENV{NDEBUG})
+    message(STATUS "Setting build type to 'Release' because NDEBUG was set.")
+  elseif(NOT CMAKE_BUILD_TYPE)
+    message(STATUS "Setting build type to 'Release' by default.")
+  endif()
   set(CMAKE_BUILD_TYPE
     Release  # automatically leads to CFLAGS += -DNDEBUG -O3
     CACHE STRING "Choose the type of build." FORCE)
-elseif(NOT CMAKE_BUILD_TYPE)
-  message(STATUS "Setting build type to 'Debug' as none was specified.")
+else()
   set(CMAKE_BUILD_TYPE
     Debug  # automatically leads to CFLAGS += -g  # -O0 not added by default
     CACHE STRING "Choose the type of build." FORCE)
 endif()
 message(STATUS "Build mode: ${CMAKE_BUILD_TYPE}")
 
 # improved from https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html
-if(NOT DEFINED OPENSSL_ROOT_DIR AND NOT "$ENV{OPENSSL_DIR}" STREQUAL "")
+if(NOT "$ENV{OPENSSL_DIR}" STREQUAL "")
   get_filename_component(OPENSSL_ROOT_DIR "$ENV{OPENSSL_DIR}" ABSOLUTE)
-  set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include")
+  if(NOT TARGET OpenSSL::Crypto) # not already handled by superordinate module
+    # invalidate defaults from CMakeCache.txt
+    set(OPENSSL_VERSION "")
+    set(OPENSSL_INCLUDE_DIR "")
+    set(OPENSSL_LIB_SET FALSE)
+    set(OPENSSL_CRYPTO_LIBRARY "")
+    set(OPENSSL_SSL_LIBRARY "")
+  endif()
 endif()
-if(NOT DEFINED OPENSSL_FOUND) # not already done by superordinate module
-  set(OPENSSL_VERSION "(unknown)")
-  set(OPENSSL_COMPONENTS COMPONENTS Crypto SSL) # TODO SSL should not be needed if SECUTILS_NO_TLS
+if(NOT "$ENV{OPENSSL_DIR}" STREQUAL "" OR
+   NOT TARGET OpenSSL::Crypto) # not already done by superordinate module
+  if(${SECUTILS_NO_TLS})
+    set(OPENSSL_COMPONENTS COMPONENTS Crypto)
+  else()
+    set(OPENSSL_COMPONENTS COMPONENTS Crypto SSL)
+  endif()
   if(DEFINED OPENSSL_ROOT_DIR)
-    find_package(OpenSSL HINTS "${OPENSSL_ROOT_DIR}" NO_DEFAULT_PATH ${OPENSSL_COMPONENTS})
+    if(NOT APPLE) # on macOS, work around find_package() not respecting HINTS and NO_DEFAULT_PATH
+      find_package(OpenSSL HINTS "${OPENSSL_ROOT_DIR}" NO_DEFAULT_PATH ${OPENSSL_COMPONENTS})
+    endif()
   else()
     find_package(OpenSSL ${OPENSSL_COMPONENTS})
   endif()
-  STRING(REGEX REPLACE "/?/libcrypto\..*" "" OPENSSL_LIB "${OPENSSL_CRYPTO_LIBRARY}")
+  STRING(REGEX REPLACE ";.*" "" OPENSSL_INCLUDE_DIR "${OPENSSL_INCLUDE_DIR}")
+  if(NOT OPENSSL_INCLUDE_DIR)
+    set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include")
+  endif()
+  if(NOT OPENSSL_VERSION)
+    file(READ "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSLV_CONTENT)
+    string(REGEX MATCH "OpenSSL ([0-9]+\\.[0-9]+\\.[0-9]+[^ ]*)" VERSION_MATCH "${OPENSSLV_CONTENT}")
+    if(VERSION_MATCH)
+      string(REGEX REPLACE "OpenSSL " "" OPENSSL_VERSION "${VERSION_MATCH}")
+    else()
+      set(OPENSSL_VERSION "(unknown)")
+    endif()
+  endif()
 endif()
 message(STATUS "using OpenSSL version ${OPENSSL_VERSION}")
 message(STATUS "using OpenSSL inc dir ${OPENSSL_INCLUDE_DIR}")
-STRING(REGEX REPLACE ";.*" "" OPENSSL_INCLUDE_DIR "${OPENSSL_INCLUDE_DIR}")
 if(NOT EXISTS "${OPENSSL_INCLUDE_DIR}/openssl")
   message(FATAL_ERROR "OpenSSL include directory does not exist: ${OPENSSL_INCLUDE_DIR}/openssl")
 endif()
-if("$ENV{OPENSSL_LIB}" STREQUAL "" AND NOT "$ENV{OPENSSL_DIR}" STREQUAL "")
-  set(ENV{OPENSSL_LIB} $ENV{OPENSSL_DIR})
-endif()
-if(NOT DEFINED OPENSSL_LIB_SET AND NOT "$ENV{OPENSSL_LIB}" STREQUAL "")
-  set(OPENSSL_LIB_SET 1)
-  get_filename_component(OPENSSL_LIB "$ENV{OPENSSL_LIB}" ABSOLUTE)
+if(NOT TARGET OpenSSL::Crypto) # not already done by superordinate module
+  set(OPENSSL_LIB "$ENV{OPENSSL_LIB}")
+  if(NOT OPENSSL_LIB)
+    if (NOT "$ENV{OPENSSL_DIR}" STREQUAL "")
+      set(OPENSSL_LIB $ENV{OPENSSL_DIR})
+    elseif(OPENSSL_CRYPTO_LIBRARY)
+      get_filename_component(OPENSSL_LIB "${OPENSSL_CRYPTO_LIBRARY}" DIRECTORY)
+    endif()
+  endif()
+  get_filename_component(OPENSSL_LIB "${OPENSSL_LIB}" ABSOLUTE)
+  message(STATUS "using OpenSSL lib dir ${OPENSSL_LIB}")
   if(NOT EXISTS "${OPENSSL_LIB}")
     message(FATAL_ERROR "directory OPENSSL_LIB does not exist: ${OPENSSL_LIB}")
   endif()
@@ -67,7 +99,6 @@ if(NOT DEFINED OPENSSL_LIB_SET AND NOT "$ENV{OPENSSL_LIB}" STREQUAL "")
     set(OPENSSL_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY} ${OPENSSL_SSL_LIBRARY})
   endif()
 endif()
-message(STATUS "using OpenSSL lib dir ${OPENSSL_LIB}")
 message(STATUS "using OpenSSL library ${OPENSSL_CRYPTO_LIBRARY}, ${OPENSSL_SSL_LIBRARY}")
 if(NOT EXISTS "${OPENSSL_CRYPTO_LIBRARY}")
   message(FATAL_ERROR "OpenSSL crypto library file does not exist: ${OPENSSL_CRYPTO_LIBRARY}")

Makefile_v1

@@ -33,7 +33,7 @@ ifeq ($(OUT_DIR),)
      override OUT_DIR = .
 endif
 
-VERSION=2.0
+VERSION=2.1
 # must be kept in sync with debian/changelog and CMakeLists.txt
 # PACKAGENAME=libsecutils
 # DIRNAME=$(PACKAGENAME)-$(VERSION)

README.md

@@ -48,10 +48,10 @@ also on a virtual machine or the Windows Subsystem for Linux ([WSL](https://docs
 and with MacOS.
 
 The following network and development tools are needed or recommended.
-* Git (for getting the software, tested versions include 2.7.2, 2.11.0, 2.20, 2.30.2, 2.39.2, 2.47.0)
-* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested versions include 3.18.4, 3.26.3, 3.27.7, 3.30.5)
+* Git (for getting the software, tested versions include 2.7.2, 2.11.0, 2.20, 2.34.1, 2.48.0)
+* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested versions include 3.18.4, 3.22.1, 3.27.7, 3.31.5)
 * GNU make (tested versions include 3.81, 4.1, 4.2.1, 4.3)
-* GNU C compiler (gcc, tested versions include 5.4.0, 7.3.0, 8.3.0, 10.0.1, 10.2.1, 12.2.0)
+* GNU C compiler (gcc, tested versions include 5.4.0, 7.3.0, 8.3.0, 10.2.1, 11.4.0, 12.2.0)
   or clang (tested versions include 14.0.3, 17.0.3, 19.1.1)
 
 The following OSS components are used.
@@ -178,7 +178,7 @@ With that directory, artifacts are placed in the usual subdirectories.
 
 ### Building Debian packages
 
-This repository can build the following Debian and source packages.
+On Linux, this repository can build the following Debian and source packages.
 
 * `libsecutils` -- the shared library
 * `libsecutils-dev` -- development headers and documentation

debian/changelog

@@ -1,3 +1,9 @@
+libsecutils (2.1) stable; urgency=medium
+
+  * Various fixes on build system, code, and OpenSSL version compatibility
+
+ -- David von Oheimb <David.von.Oheimb@siemens.com>  Fri, 17 Oct 2025 08:53:10 +0200
+
 libsecutils (2.0) stable; urgency=medium
 
   * Improved build system; various small fixes

debian/control

@@ -18,7 +18,7 @@ Description: OpenSSL enhancement wrapper library
  With extended support for certficate status checking using CRLs and/or OCSP
 
 Package: libsecutils-dev
-Depends: libsecutils (>= 2.0), ${misc:Depends}
+Depends: libsecutils (>= 2.1), ${misc:Depends}
 Suggests: libssl-dev, libuta-dev
 Section: devel
 Architecture: all

src/libsecutils/include/secutils/connections/conn.h

@@ -24,7 +24,15 @@ static const char* const CONN_https_prefix = "https://";
 
 #define CONN_IS_HTTP( uri) ((uri) != NULL && HAS_PREFIX(uri, OSSL_HTTP_PREFIX ))
 #define CONN_IS_HTTPS(uri) ((uri) != NULL && HAS_PREFIX(uri, OSSL_HTTPS_PREFIX))
-#define CONN_IS_IP_ADDR(host) ((host) != NULL && ((*(host) >= '0' && *(host) <= '9') || *(host) == '['))
+#define CONN_IS_IP_ADDR(host) CONN_is_IP_address(host)
+
+/*!*****************************************************************************
+ * @brief check if host string is an IP address (as opposed to domain name)
+ * @note an IPv6 address must be enclosed in '[' and ']'.
+ * @param host identifier string to be checked, or null.
+ * @return 1 if string is an IP address, 0 otherwise
+ ******************************************************************************/
+bool CONN_is_IP_address(OPTIONAL const char *host);
 
 /*!*****************************************************************************
  * @brief parse hostname or URI of the form "[http[s]://][<userinfo>@]<host>[:<port>][/<path>]"

src/libsecutils/include/secutils/credentials/cert.h

@@ -109,7 +109,7 @@ void CERTS_free(OPTIONAL STACK_OF(X509) *certs);
  * @return ASN.1 representation of the DN, or null on error
  *******************************************************************************/
 /* this function is used by the genCMPClient API implementation */
-X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn);
+X509_NAME* UTIL_parse_name(const char* dn, int chtype, bool multirdn);
 
 
 /*!*****************************************************************************

src/libsecutils/include/secutils/credentials/credentials.h

@@ -40,9 +40,9 @@ typedef const char* component_creds_id; /**< component credentials identifier */
  * @return pointer to a new CREDENTIALS structure, or null on error
  *******************************************************************************/
 /* this function is part of the genCMPClient API */
-CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY* pkey, OPTIONAL const OPTIONAL X509* cert,
-                             OPTIONAL const STACK_OF(X509) * chain, OPTIONAL const char* pwd,
-                             OPTIONAL const char* pwdref);
+CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY *pkey, OPTIONAL const X509 *cert,
+                             OPTIONAL const STACK_OF(X509) *chain, OPTIONAL const char *pwd,
+                             OPTIONAL const char *pwdref);
 
 /*!*****************************************************************************
  * @brief get private key component of the given credentials

src/libsecutils/include/secutils/credentials/store.h

@@ -62,7 +62,7 @@ bool STORE_set1_desc(X509_STORE* store, OPTIONAL const char* desc);
  * @param store the certificate trust store
  * @return description to use for diagnostics, or null on failure or if not set
  */
-const char* STORE_get0_desc(OPTIONAL X509_STORE* store);
+const char *STORE_get0_desc(OPTIONAL const X509_STORE *store);
 
 /*!*****************************************************************************
  * @brief set various optional verification parameters in the given trust store
@@ -127,8 +127,8 @@ bool STORE_set_crl_callback(X509_STORE* store,
  * @param desc description of the CRL to use for any error messages, or null
  * @return pointer to downloaded CRL, or null on error
  */
-X509_CRL* STORE_fetch_crl(X509_STORE* store, OPTIONAL const char* url, int timeout,
-                          const X509* cert, OPTIONAL const char* desc);
+X509_CRL *STORE_fetch_crl(const X509_STORE *store, OPTIONAL const char *url, int timeout,
+                          const X509 *cert, OPTIONAL const char *desc);
 
 /*!
  * @brief create or extend cert store structure with any given cert(s)
@@ -252,7 +252,8 @@ bool STORE_EX_check_index(void);
  * @param store the affected certificate store
  * @param host the host name to set, or null to clear it
  * @return true on success, false on failure
- * @note since OpenSSL 3.0, this is no more needed due to X509_VERIFY_PARAM_get0_host() being available
+ * @note since OpenSSL 3.0, due to X509_VERIFY_PARAM_get0_host() being available,
+ *       this function is no more needed and just returns true
  */
 bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host);
 
@@ -262,7 +263,7 @@ bool STORE_set1_host(X509_STORE* store, OPTIONAL const char* host);
  * @param store the certificate store to read from
  * @return the first host name that has been set, or null if unset or on failure
  */
-const char* STORE_get0_host(X509_STORE* store);
+const char *STORE_get0_host(const X509_STORE *store);
 
 # ifndef SECUTILS_NO_TLS
 /*!

src/libsecutils/src/connections/conn.c

@@ -21,8 +21,40 @@
 # include <openssl/ssl.h>
 #endif
 
+/* for getaddrinfo() and freeaddrinfo() */
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#ifdef _WIN32
+# include <winsock2.h>
+# include <ws2tcpip.h>
+#endif
+
 #include <operators.h>
 
+bool CONN_is_IP_address(OPTIONAL const char *host)
+{
+    size_t len;
+    struct addrinfo hints, *res;
+    int ret;
+
+    if (host == NULL)
+        return false;
+
+    /* presume IPv6 address literal if host has the form "[<other-chars>]" */
+    len = strlen(host);
+    if (len > 2 && *host == '[' && strchr(host + 1, '[') == NULL
+            && strchr(host + 1, ']') == host + len - 1)
+        return true;
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_flags = AI_NUMERICHOST;
+    ret = getaddrinfo(host, NULL, &hints, &res);
+    if (res != NULL)
+        freeaddrinfo(res);
+    return ret == 0;
+}
+
 static const char* skip_scheme(const char* str)
 {
     const char *scheme_end = strstr(str, CONN_scheme_postfix);

src/libsecutils/src/connections/http.c

@@ -29,6 +29,10 @@
 # endif
 # include <openssl/ocsp.h>
 
+# if OPENSSL_VERSION_NUMBER < OPENSSL_V_3_0_0
+#  define OSSL_HTTP_parse_url(url, s, u, h, p, n, path, q, f) OCSP_parse_url(url, h, p, path, s)
+# endif
+
 /* TODO replace this all by new API in http.h of OpenSSL 3.0 */
 
 static int REQ_CTX_i2d(OCSP_REQ_CTX* rctx, const char* content_type,
@@ -196,7 +200,7 @@ ASN1_VALUE* CONN_load_ASN1_http(const char* url, int req_timeout,
         LOG(FL_ERR, "null URL argument for downloading %s", desc);
         return 0;
     }
-    if(not OCSP_parse_url(url, &host, &port, &path, &use_ssl))
+    if(not OSSL_HTTP_parse_url(url, &use_ssl, NULL, &host, &port, NULL, &path, NULL, NULL))
     {
         LOG(FL_ERR, "cannot parse URL: '%s' for downloading %s", url, desc);
         goto err;

src/libsecutils/src/credentials/cert.c

@@ -77,7 +77,7 @@ void CERTS_free(OPTIONAL STACK_OF(X509) *certs)
  * The NULL-DN may be given as "/" or "".
  */
 /* adapted from OpenSSL:apps/lib/apps.c */
-X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn)
+X509_NAME* UTIL_parse_name(const char* dn, int chtype, bool multirdn)
 {
     size_t buflen = strlen(dn) + 1; /* to copy the types and values.
                                      * Due to escaping, the copy can only become shorter */

src/libsecutils/src/credentials/credentials.c

@@ -40,9 +40,9 @@ struct credentials
 } /* CREDENTIALS */;
 
 
-CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY* pkey, const OPTIONAL X509* cert,
-                             OPTIONAL const STACK_OF(X509) * chain, OPTIONAL const char* pwd,
-                             OPTIONAL const char* pwdref)
+CREDENTIALS* CREDENTIALS_new(OPTIONAL const EVP_PKEY *pkey, OPTIONAL const X509 *cert,
+                             OPTIONAL const STACK_OF(X509) *chain, OPTIONAL const char *pwd,
+                             OPTIONAL const char *pwdref)
 {
     const char* pass = pwd;
     if (pwd not_eq 0 and strncmp(pwd, sec_PASS_STR, strlen(sec_PASS_STR)) is_eq 0)